Hi Antonio,
Antonio Pereira wrote:
Hi Tek,
Can you setup the same IP address range on the same linux box with squid?
Example
Nic1 192.168.0.2 this will connect to firewall
Nic2 192.168.0.3 this will connect to backbone switch
Yes you can use the same IP address network range on the Linux Squid box.
But since you will be operating Squid in bridging mode, you don't need
to configure the network interfaces of Eth0 and Eth1.
You just need the "bridge-utils" package which contains the tools to
perform bridging.
Thanks to Ariel Molina Rueda for his tutorial at
http://freshmeat.net/articles/view/1433/
I just used the following shell script to setup the bridge:
#!/bin/sh
###Start of bridging script###
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
#Set IP 192.168.0.2 to br0 for SSH access to the squid box
#192.168.0.1 should match the IP of your Gateway (Firewall)
ifconfig br0 192.168.0.2 netmask 255.255.255.0 up
route add default gw 192.168.0.1 dev br0
#Redirect packets on port 80 to Squid's 3128 port on transparent bridge
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
###End of Bridging script###
Run this script and add it to your boot/startup run directory.
Plug 1 cable from your backbone switch to the Squid box and another
cable to your Firewall.
If everything goes well, then you have your transparent squid bridge!!
And of course, Squid needs to be configured in transparent mode too.
Happy Proxying....
Thanking you...
Antonio Pereira
National IT Coordinator
Coordinateur National de Technologies de l'Information
Tél./Tel. : (514) 341-8181, ext./poste 267
Téléc./Fax. : (514) 341-1253
Cell: (514) 514-444-6086
Sans Frais/Toll Free: (888) 338-6266 ext./poste 267
Courriel / E-mail. : apereira@xxxxxxxxx
Duocom Canada Inc.
10000, Cavendish Blvd.
Ville St. Laurent (Québec) H4M 2V1
www.duocom.ca
-----Original Message-----
From: Tek Bahadur Limbu [mailto:teklimbu@xxxxxxxxxxxx]
Sent: Wednesday, September 19, 2007 2:21 AM
To: Antonio Pereira
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Squid setup questions
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Antonio,
On Tue, 18 Sep 2007 17:00:25 -0400
"Antonio Pereira" <apereira@xxxxxxxxx> wrote:
Ok Great.
I have a hardware based firewall.
What setup in the way of the squid box is best physically take the cable
from the firewall and put 2 nics on the squid box and plug 1 nic to the
firewall and the other to the backbone switch. Or just use 1 nic on the
squid box and put a rule in the firewall to allow only outbound http
traffic from the squid box.
Right now everyone defaults to the firewall and all http traffic goes
out to the internet. We also have VPN and web and ssl traffic coming is
from inbound http.
I think the best layout would be to put 2 NIC cards on the Squid box. Like you said, plug the 1st cable to the firewall and the 2nd cable to your backbone switch where the 4 other sites connect.
The following diagram may represent the simple layout.
Internet
|
|
|
Transparent Squid Bridge Box
|
|
Backbone Switch
|
|
-------------------------------------------------
| | | |
| | | |
Site1 Site2 Site3 Site4
I would like the Squid box to run in transparent bridging mode. This way, you don't have to change anything on your network. Furthermore if your Squid box should go down, which is unlikely, you just reconnect the cable from your backbone switch to your firewall and everything becomes normal again!
Since we won't be running any firewall except for intercepting web requests to Squid's port, your VPN and SSL traffic should not get hampered.
In fact, I am using this setup on a Debian shaper box and so far it is working great.
Hope it helps.
Thanking you...
Thanks again
-----Original Message-----
From: Tek Bahadur Limbu [mailto:teklimbu@xxxxxxxxxxxx]
Sent: Tuesday, September 18, 2007 4:13 PM
To: Antonio Pereira
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Squid setup questions
Hi Antonio,
Antonio Pereira wrote:
Hello,
I have pretty much redundant question but I would like some opinions
before I venture into this possible solution.
I have 4 sites on an MPLS network that access the internet via 1
location, at this 1 location there is already a firewall. What I would
like to do is start blocking web sites and start block web traffic.
What is the best setup with squid for this type of setup? What
documents
should I read for this type of setup?
Not sure about MPLS networking. However, in your case, it should be
simple. Just run Squid transparently on the gateway (firewall) from
where all 4 sites gets access to the internet.
Adding SquidGuard or DansGuardian or even custom ACLs will provide you
with all the web blocking functionalities.
Thanking you...
Thanks in advance
--
With best regards and good wishes,
Yours sincerely,
Tek Bahadur Limbu
System Administrator
(TAG/TDG Group)
Jwl Systems Department
Worldlink Communications Pvt. Ltd.
Jawalakhel, Nepal
http://www.wlink.com.np
- --
With best regards and good wishes,
Yours sincerely,
Tek Bahadur Limbu
System Administrator
(TAG/TDG Group)
Jwl Systems Department
Worldlink Communications Pvt. Ltd.
Jawalakhel, Nepal
http://wlink.com.np/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iD8DBQFG8L+zfpE0pz+xqQQRAg/rAJ4sgpGJzJr+snPl3H7CAleqqWE7nwCgq+g4
0MkQ4qe+lfsTRoAMKwIITio=
=Sobk
-----END PGP SIGNATURE-----
--
With best regards and good wishes,
Yours sincerely,
Tek Bahadur Limbu
System Administrator
(TAG/TDG Group)
Jwl Systems Department
Worldlink Communications Pvt. Ltd.
Jawalakhel, Nepal
http://www.wlink.com.np
