Tuesday, November 29, 2011

Common Squid Requirements - Part 2


7. Set Maximum Download Size

To set the maximum size of a file to be downloaded, the parameter reply_body_max_size can be used. The size is calculated in bytes. For example, if the maximum size of download is 50 MB (50*1024*1024 = 52428800), then here's how it is done-


root@firefly:~# vim squid.conf



#### Declaring the ACL ####

acl our_network src 192.168.10.0/24

acl vip src 192.168.10.100




#### Applying the ACL ####

#### Again, the sequence is important ####



reply_body_max_size 0 allow vip

#### the vip has no size restrictions ####



reply_body_max_size 52428800 deny our_network

#### no one in our LAN can download files larger than the limit ####



root@firefly:~# squid -k reconfigure

#### this command can be used to tune squid with last configuration without restarting ####

 

8.Setting Specific Time/Date for Internet Access

The following lines have been taken from the file squid.conf. Each day can be represented by an alphabet. Moreover, browsing time can be limited using h1:m1 – h2:m2 parameters, where h1:m1 > h2:m2.


#acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# day-abbrevs:
# S - Sunday
# M - Monday
# T - Tuesday
# W - Wednesday
# H - Thursday
# F - Friday
# A - Saturday
# h1:m1 must be less than h2:m2

root@firefly:~# vim squid.conf

#### Declaring the ACL ####

acl our_network src 192.168.10.0/24
acl office_hours time SMTWH 09:00-17:00
#### Sunday to Thursday, 9 AM to 5 PM ####

#### Applying the ACL ####

http_access deny !office_hours
#### our LAN is denied Internet outside office hours ####
http_access allow our_network
http_access deny all

root@firefly:~# squid -k reconfigure

9. Setting up Mandatory Authentication for a Page

The first thing that needs to be kept in mind is that this is not compatible with transparent proxy. Although this topic is also covered in Web Server configuration, we would be discussing it nonetheless. We would be needing the apache for the process. Here we go-
  • Installation of package:
    root@firefly:~# apt-get install apache2 #DEBIAN    
    root@firefly:~# yum install httpd #RED HAT
  • Preparing the file for passwords
    root@firefly:~# vim /etc/squid/password_file
    root@firefly:~# chown root:proxy /etc/squid/password_file
    root@firefly:~# chmod 640 /etc/squid/password_file

  • Now would create the users:
    root@firefly:~# htpasswd /etc/squid/password_file username

  • Preparing squid.conf
    #### edit the following section ####
    auth_param basic program /usr/lib/squid/ncsa_auth  /etc/squid/password_file 

    #### declaring the ACL #### 
    acl our_network 192.168.10.0/24 
    acl login proxy_auth REQUIRED

    #### Applying the ACL #### 
    http_access allow our_network login


Now, every time someone opens a web browser, they'd be asked for a user name/password combination to get access to the Internet.

I think that much covers the basic needs of proxy servers in an office/business environment. Also, we have seen a couple of configurations that are not normally needed, but nonetheless, is important to know. I hope this helps.

Finally, Linux ROCKS!!! \m/ ^_^ \m/

Common squid requirements - Part 1


In this segment, we would be accomplishing the following:

  1. block specific website
  2. block multiple website
  3. block specific ip
  4. block multiple ip
  5. block specific mac
  6. block multiple mac
  7. set maximum  download size
  8. set time/date limit for browsing
  9. Setting up mandatory authentication before internet access
We assume that our network is 192.168.10.0/24.

1. Blocking a Specific Website

Although a website can be blocked using different parameters, the best way to block a website using squid is the 'url_regex' parameter. url_regex checks link inserted in the browser for matching syntax. For example, if we tell squid to block any website that has the word “jumble” in it, then any website, like jumbleA.com, jumbleB.com, jumbleC.com would be blocked.

root@firefly:~# vim squid.conf

#### Declaring the acl #####
acl our_network src 192.168.10.0/24
acl bad_site url_regex .jumble.com
#### for example, anything.jumble.com, anything2.jumble.com, anything3.jumble.com ####

#### Applying the acl ####
#### the sequence of the allow/deny is important ####

http_access deny bad_site
### denies bad_site to everyone

http_access allow our_network
### everyone in our_network is allowed anywhere

http_access deny all

root@firefly:~# service squid restart


2. Blocking a Multiple Websites

The theory of blocking multiple websites is the same. We would be using url_regex to get the task done. However, the declaration of the ACL is quite different. First, we would be creating a file to list all the sites that needs to be blocked, and then tell squid to check that file for matching.

root@firefly:~# vim /etc/squid/bad_site_file

#### a list of sites to be #### Declaring the acl #####blocked ####
\.mp3$ ##mp3 files blocked
\.flv$ ##flv files blocked
.jumble.com
.badsite1.com
.badsite2.com
.AreYouKiddingMe.net

root@firefly:~# vim squid.conf

#### Declaring the acl #####
acl our_network src 192.168.10.0/24
acl bad_site url_regex “/etc/squid/bad_site_file”

#### Applying the acl ####
#### the sequence of the allow/deny is important ####

http_access deny bad_site
### denies bad_site to everyone

http_access allow our_network
### Allow our LAN
http_access deny all

root@firefly:~# service squid restart

3. Blocking a Specific IP

Even if a single IP can be blocked using an ACL, we would be adding the IP directly in the file squid.conf.


root@firefly:~# vim squid.conf

#### the sequence of the allow/deny is important ####
http_access deny 192.168.10.254/24
### this IP is blocked/denied

http_access allow our_network
### Allow our LAN

http_access deny all

root@firefly:~# service squid restart


4. Blocking Multiple IPs

We would be using the same trick that we used to block multiple websites. We would be creating a file with a list of all the IPs to be blocked.


root@firefly:~# vim /etc/squid/blocked_ip_file
#### a list of IPs to be blocked ####
192.168.10.150
192.168.10.152
192.168.10.253
192.168.10.254

root@firefly:~# vim squid.conf

#### Declaring the acl #####
acl our_network src 192.168.10.0/24
acl black_sheep src “/etc/squid/blocked_ip_file”

#### Applying the acl ####
#### the sequence of the allow/deny is important ####

http_access deny black_sheep
### denies all IP in the ACL

http_access allow our_network
### Allow our LAN

http_access deny all

EXAMPLE2: combining multiple ACLs
#### Applying the acl ####
#### the sequence of the allow/deny is important ####

http_access deny black_sheep bad_site
### denies access to all websites in bad_site_file to all IP in the blocked_ip_file

http_access allow our_network
### Allow our LAN

http_access deny all

root@firefly:~# service squid restart

 

5. Blocking Specific MAC

The process of blocking a MAC address is almost similar to the process of blocking IP addresses. Here is how it works -
root@firefly:~# vim squid.conf

#### Declaring the ACL ####
acl our_network src 192.168.10.0/24
acl bad_mac arp 48:5B:39:0C:CE:10

#### the sequence of the allow/deny is important ####
http_access deny bad_mac
### this MAC address is blocked/denied

http_access allow our_network
### Allow our LAN

http_access deny all

root@firefly:~# service squid restart


6. Blocking Multiple MAC Addresses

We would be using the same trick that we used to block multiple IPs. We would be creating a file with a list of all the IPs to be blocked.

root@firefly:~# vim /etc/squid/blocked_mac_file
#### a list of MAC addresses to be blocked ####
48:5B:39:0C:CE:10
00:1F:D0:63:A3:03

root@firefly:~# vim squid.conf

#### Declaring the acl #####
acl our_network src 192.168.10.0/24
acl bad_macs arp “/etc/squid/blocked_mac_file”

#### Applying the acl ####
#### the sequence of the allow/deny is important ####

http_access deny bad_macs
### denies all MAC addresses in the ACL

http_access allow our_network

### Allow our LAN
http_access deny all

root@firefly:~# service squid restart

Sunday, November 13, 2011

Deploying Transparent Proxy Server using SQUID (Minimum Configuration)

This section only describes the minimum configuration needed for Transparent Proxy Server. Tweaking and tuning would be discussed in later sections.
The Proxy service is a service that manages requests on behalf of another service. For example- if we want to filter and manage web requests (usually tcp port 80), we assign 'another' service to oversee the task. The 'other' service is the Proxy server.
One may think, why would I use a proxy when I can control and filter web traffic using Firewall. Well, the answer is
  • Caching: The proxy server caches frequently accessed web elements in the RAM and Hard Drive of the computer. If a requested web element is found in the cache, the element is supplied to the user from the cache. Since the cached element is fetched from the LAN, the time is significantly reduced. This gives us two outputs.
    • Speeds up the Internet browsing experience
    • Saves bandwidth as the same element is not fetched over and over again from the Internet.
  • Additional Layer of Security: Although firewall can also be skilfully to manage web traffic, using a proxy service to filter and control places an additional layer of security in a system. Plus, filtering requests is really easy using Squid as it can resolve names and IPs easily.
Configuration:
I'm using CentOS. The configuration file is /etc/squid/squid.conf. Always make sure that the configuration file has been backed up before editing.
  1. yum install squid
  2. vim /etc/squid/squid.conf

      ## setting the port on which squid will listen for http traffic.
      ## transparent is used because we will make it transparent proxy
      http_port 3128 transparent


      ## defining the LAN
      acl my_network src 192.168.10.0/24



      ## allowing my network to use proxy
      http_access allow my_network
      ## denying proxy service to everyone
      http_access deny all
      ## save & exit
  1. Add the rule to the firewall. We are assuming that eth1 Network Interface Card is on the LAN.
    iptables -t nat -A PREROUTING -i eth1 -s 192.168.10.0/24 -p tcp --dport 80 -j REDIRECT --to-port 3128
  2. service squid restart; chkconfig squid on
Verifying:
  1. By monitoring the proxy log
    tailf /var/log/squid/access.log
  2. By monitoring the status of the firewall whether web traffic is being redirected:
    watch iptabels -t nat -nvL

    9735 472K DNAT tcp –- eth1 * 192.168.10.0/24 0.0.0.0/0 tcp dpt:80 to:192.168.10.1:3128
The minimum squid configuration is now complete. A portion of web elements are stored in the RAM, as well as majority of web elements being stored in the hard drive. We would be discussing about how to filter and manipulate web traffic using squid in later sections.

Hope it helps. Linux Rocks!!!

Saturday, November 12, 2011

Kicking out a logged in user in Linux

Another thing that I never did before. Suppose, you have a system and there are currently logged in users that you want to terminate. The easiest way to check for logged in users is:

[root@busy-bee log]# w
 13:06:51 up  1:24,  2 users,  load average: 1.15, 1.10, 1.15
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
sarmed   pts/0    192.168.1.6      12:36    0.00s  0.06s  0.03s sshd: sarmed
mujahid  pts/1    192.168.2.9      11:48    1:17m  1:03m  0.04s sshd: mujahid


Now,suppose, I want to terminate the session for user mujahid. This is how it is done-

[root@busy-bee log]# pkill -KILL -u mujahid
[root@busy-bee log]# w
 13:08:47 up  1:26,  1 user,  load average: 1.09, 1.10, 1.14
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
sarmed   pts/0    192.168.1.6      12:36    0.00s  0.08s  0.03s sshd: sarmed

Piece of cake.

Additional options:
To 'pause' a user:
[root@busy-bee log]# pkill -STOP -u mujahid

To 'resume' a user:
[root@busy-bee log]# pkill -CONT -u mujahid

Wednesday, November 2, 2011

Static Routes Using Linux

My workplace LAN has around 500 hosts, and to make it more complicated, the hosts are spread across 6 geographic location. I would still call our network a LAN because the administrative privilege is limited to a few people. Anyway, like any other huge network, the LAN had broadcast problems, usually caused by viruses & Windows net-bios broadcast. The management had used separate IP addressing scheme for different campuses, but what they failed to realize is that, unless a layer-3 device is deployed, the network is one HUGE broadcast domain regardless of the IP addressing scheme.

Anyway,  I wanted to deploy Cisco Catalyst switches to implement VLAN to reduce the size of broadcasts. But somehow the management always prefers cheaper solution, right? My case is not much different. As a cheaper alternative, I have recently deployed a Linux host that acts as a Router to divide broadcast domain. Now the technical stuff begins.

Let us assume that there are 3 Linux computers. firefly and busy-bee are 2  has 4 LAN cards installed. We would configure each NIC as a separate subnet see how we can make things work. Let us name the Linux computer as Spider.

Let us build a scenario:





Host: firefly.example.com
Location: Mountain
Function: NAT and Proxy server for Mountain users
NIC1: R1 (Real IP provided by ISP)
NIC2: 192.168.10.1/24


Host: busy-bee.example.com
Location: Forest
Function: NAT & Proxy server for Forest users
NIC1: R2 (Real IP provided by ISP)
NIC2: 192.168.20.1/24

Host: scorpion.example.com
Location: Desert
Function: NAT & Proxy Server for Desert users
NIC1: R3 (Real IP provided by ISP)
NIC2: 192.168.30.1/24


Host: spider
Locatoin: Mountain OR Forest OR Desert, doesn't matter.
Function: Works as a Router between Mountain and Forest
NIC1: 192.168.10.254/24
NIC2: 192.168.20.254/24
NIC3: 192.168.30.254/24

Spider Configuration:

vim /etc/sysctl.conf
net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o NIC1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o NIC2 -j MASQUERADE
iptables -t nat -A POSTROUTING -o NIC3 -j MASQUERADE

Firefly Configuration:
route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.10.254 dev NIC2
route add -net 192.168.30.0 netmask 255.255.255.0 gw 192.168.10.254 dev NIC2

The route command would contain output like this:

root@firefly:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags       Metric Ref    Use Iface
192.168.20.0    192.168.10.254     255.255.255.0   UG    0      0        0    eth2
192.168.30.0    192.168.10.254     255.255.255.0   UG    0      0        0    eth2


Busy-bee Configuration:
route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.20.254 dev NIC2
route add -net 192.168.30.0 netmask 255.255.255.0 gw 192.168.20.254 dev NIC2

Scorpion Configuration:
route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.20.254 dev NIC2
route add -net 192.168.20.0 netmask 255.255.255.0 gw 192.168.20.254 dev NIC2

########## End of Configuration ###########

If the physical connectivity is alright, try pinging from one network to the other to test connectivity. For example, if you can't ping from Forest to Desert, check whether you can ping spider.example.com, especially the corresponding NIC of Desert. Use common troubleshooting, shouldn't be that hard. 

Tested and working for me :). Linux rocks!!!