Squid Proxy as a Firewall?
 

I'm going to give this linux firewall thing a shot again. I tried the first time with guarddog and I could never get it to work with just that. However I heard somewhere that you can setup a squid proxy to act as a gateway for all traffic so that the firewall will be effective. I set up squid recently. I could just never get it to work. Does anyone have any ideas? Thanks

squid does not have any firewall or gateway functionality... however, when squid is used in conjunction with a firewall (netfilter/iptables), it can provide a great solution for your web access filtering and/or transparent proxy cache needs... what exactly is it that you are aiming to achieve??

Thanks for the reply. I'm trying to put a a linux box outside of my network that is running Mepis with Guarddog firewall and have it act as a multi-purpose firewall, proxy server, music server, and game server. It is a very new computer and it isn't having trouble with these tasks so it should be fine. I just can't get it configured correctly so that it will route all of the data through one NIC, filter it with Guarddog firewall, and put it out the other NIC into a Buffalo router/access point. I tried setting it up before without squid but I just never could get it to work. I just need basic step-by-step instructions on how to do this.

Cable modem - Linux Guarddog Firewall/server (with Squid) - Access Point/Router - internal network

This has been a big head ache for me so any help would be greatly appreciated. Thanks. :)

okay, i think i'm starting to understand where you're coming from... the only thing i'm not sure about is what exactly you want squid to do for you... most of the time people use squid to do things like URL filtering, access control, or just plain web caching (to speed things up and also save bandwidth)...

does mepis come with a squid package?? if so, you're halfway there...

as for the firewall/router functionality, keep in mind that guarddog is only a front-end to iptables, and as such it isn't really needed if you use a proper iptables script (i can provide you with one)...

what people that want to use squid and a firewall/router usually do is they set-up squid to work in transparent proxy mode... this way, users on your LAN do not need to make any configurations on their box - their web traffic will be sent through squid transparently...

okay, so basically there's two things you need in order to get your project started:

1) you need to have squid already installed (don't worry about configuration yet)...

2) you need to have iptables installed (you already have this, cuz if not then guarddog wouldn't work)...

please confirm the first point... if i remember correctly, mepis is debian-based, so i would assume a squid package for it is readily available...

once you have those two things, then it's just a matter of:

- using an iptables script (i will give this to you) to configure the firewall... and

- configuring squid (it's done by editing the squid.conf file)...

i can walk you through both... BTW, yeah, i can also give you a squid.conf to get you started...

but let's take it one step at a time... the first step is to get your router/firewall functionality properly set-up... what i would need from you to help you out is the names of the network interfaces on the mepis box (the box which will be used as the gateway)... tell me which interface is the one that plugs into your LAN (and DMZ etc. if you have more than two interfaces) and which one plugs into the WAN (Internet, or in this case the one that plugs into your buffalo)... for example, your WAN interface might be eth0 while your LAN one is eth1... oh, and if you can explain your IP configuration (on both mepis and buffalo) it would also be of great help...

I have already installed Squid in regular mode since it came with the Ubuntu packages (Mepis is based on Ubuntu).
The interfaces are eth0 (wan) to plug into the cable modem and eth1 (lan) to go to the Buffalo.
I have also configured the Buffalo to run as a DNS server as well as a dhcp server.

Thanks for the help though, I didn't know that you could just use a script. :)

EDIT: If it will not function outside of the lan (ie plugged directly into the modem) then that is fine as well. I don't mind running it inside the Buffalo.

sorry for the delay, school's been terrible... =/

okay, here's a simple iptables script that should work for you...
run that on the mepis box and it should start routing properly for your LAN... once you are sure it works well it's just a matter of saving the changes... i explained how to do it for ubuntu on a previous post, let me know if you have any questions about that... my guess is that if mepis is ubuntu-based then it should be the same procedure...

make sure you have forwarding enabled in your /etc/sysctl.conf file:i also recommend having rp_filter enabled:do this after editing sysctl.conf to activate the changes without having to reboot:let me know how it goes... good luck!!!

PS: i'd remove/uninstall guarddog before doing this if i was you...

I will check this ASAP. I just have a few questions before hand. Do you just use the run command to execute the iptables script? Also, will this let ports 27015, the vpn port, and port 8080 through to the internet? Thanks.

EDIT: I hate school too. AP world history. :(

to execute the script, save it as a text file, and then execute it with a dot and a slash, like:of course, you'd need to have made the file executable beforehand:another way to execute it is with the sh command (instead of the dot and the slash):this particular script doesn't filter any outgoing connections (neither from the mepis box nor from the LAN), so it will allow outgoing connections to those ports you have mentioned... on the other hand, if what you meant was incoming connections, then a couple rules would need to be added - no big deal... let me know...

speaking of school, i'm gonna hit the shower now and be on my way to school... TTYL...

Thanks for your concern. I think I may have isolated the problem however. I think that the network card (which is rather old and has been lying on my desk for months) has croaked. This is probably why I've been having so many problems configuring it. See, I tried using the ip tables script, but even though it said that my card was active, computers on the lan were unable to acquire an ip address. I will buy a new nic and try it again. :)

Thanks

from the mepis box?? i thought your DHCP server was running on your buffalo, not the mepis... also, even though you're getting a new card, could you post the output of these commands on the mepis box please (after executing the script):BTW, did you try doing ping tests?? cuz if you are able to ping google.com and hosts on your LAN from the mepis box then it's very unlikely that your either of your cards has croaked...

Sorry for the delay, but this is becoming such a pain that I guess I will just revert to an old router to block specific ports (which has many more options than my newer one). I will probably get back to a firewall on linux so don't worry, I will still use your advice. It's just that I recently unearthed this D-link router that can be setup to restrict access to any number of ports and applications, which is what this will do on linux anyway. Right?

i'm willing to help you out in whatever way i can so that you can get your linux box doing exactly what you want it to do... but you haven't given me much to work with... take the commands i kindly asked for output of, for example... or when i asked you about your IP configuration... or about your DHCP server... =(

about the linksys: i know it lets you restrict incoming connections, but i'm not sure if it lets you restrict outgoing connections (it might)... in fact, i'm not even sure which type of connections you are trying to restrict, since saying you want to "block specific ports" is kinda vague when we are talking about routing... =/

in any case, a linksys router will be nowhere near as flexible and/or powerful as a properly configured x86 linux box - but perhaps it does in fact do everything that you need it to do... i wish you the best with whatever you choose, and i'm here to help you either way... good luck...

Win32sux, all I wish to do is to make my network secure by blocking all ports coming in (an maybe out as well) except TCP port 27015, 80, 53, and 8080. I will try to check your commands. I really do appreciate your help. It's very hard to find anyone online who is as helpful as you.

The buffalo is running a DHCP server which is designed to assign addresses from 192.168.2.2-192.168.2.20.

eth0 Link encap:Ethernet HWaddr 00:30:1B:BB:73:A1
inet addr:192.168.2.16 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18718190 errors:3 dropped:0 overruns:0 frame:3
TX packets:15079321 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2556164663 (2.3 GiB) TX bytes:1172776624 (1.0 GiB)
Interrupt:225

eth1 Link encap:Ethernet HWaddr 00:11:95:1D:E4:94
inet addr:192.168.2.15 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:50 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:159953 errors:0 dropped:0 overruns:0 frame:0
TX packets:159953 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:838651380 (799.8 MiB) TX bytes:838651380 (799.8 MiB)

flashstar@6[~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
flashstar@6[~]$ cat /etc/resolv.conf
search hsd1.tx.comcast.net
nameserver 192.168.2.1
flashstar@6[~]$ iptables -L -n -v
WARNING: Failed to open config file /etc/modprobe.d/cs46xx: Permission denied
FATAL: Module ip_tables not found.
iptables v1.3.3: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
flashstar@6[~]$ cat /proc/sys/net/ipv4/ip_forward
0
flashstar@6[~]$ cat /proc/sys/net/ipv4/conf/all/rp_filter
1

root@4[flashstar]# ./firewall-script.txt
root@4[flashstar]# ./firewall-script.txt
root@4[flashstar]# iptables -L -n -v
Chain INPUT (policy DROP 16 packets, 2143 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state NEW

Chain OUTPUT (policy ACCEPT 29 packets, 2689 bytes)
pkts bytes target prot opt in out source destination
root@4[flashstar]#

This was what I got when I typed in the above mentioned codes.

okay let's start with this:you have both network cards on the same subnet... that's not good... i assume your WAN card's IP is what your ISP (or your buffalo) gives you, so leave that alone and change the IP/subnet of your LAN card instead... i suggest giving it IP 192.168.1.1 with netmask 255.255.255.0, and hence the machine(s) connected to the LAN side of your mepis router will need to use subnet 192.168.1.0/24 with gateway 192.168.1.1

you only need one gateway, on your WAN interface... so make sure you aren't doing anything funny in that regard... i suspect that once you've properly set your LAN's IP configuration, the rest will fall into place... but just to give you an illustration of what it should look like, here's the "route -n" output from my ubuntu box (i am doing NAT with a two-interface setup like yours):eth0 is my LAN interface, which has an IP of 192.168.1.1, and eth1 is my WAN interface, which is configured via DHCP (i have a cable modem) by my ISP and currently has IP 202.70.190.65... as you can see, the only gateway on my box is that which is provided by my ISP, which is 202.70.190.1 and is connected to my box via eth1...

once you have your IP configuration in order, the routing should work well with the iptables script i provided for you... keep in mind that this:means you still haven't activated forwarding, which you must do by making sure this line is in your /etc/sysctl.conf file:make sure you re-post all those outputs after having made the appropriate changes, so we can see how you are progressing... good luck...