Transparent Cache Bridge

HOWTO: Transparent Proxy on Bridged Server with Filtering

What is this document?

This is a step by step build for a transparent caching server with bridging on basic hardware. It is split in that each section can be a separate project; installing the server, setting up the bridge, setting up the caching service.

Who does it suit or what is its intended use?

This document suits anybody who has a network and wants to manage the bandwidth and reduce the abuse of the networking facility by the users. This project, once complete will result in a server which affords the administrator monitoring of Internet use, (or any Ethernet traffic for that matter), and caches pages to reduce bandwidth overhead.

This is a relatively simple project that requires little hardware but pays for itself really quickly.

This document is written for Linux beginners.

The completed project is designed to span a logical network and manage the traffic.

What skill level is required?

You should be okay using this document to build the described solution if you have some command line experience, in DOS or Linux and you have some fundamental knowledge of TCPIP. That is to say, if you can tell a valid address from a poor one and you know what a bridge and a router is. The server will be built and managed using a web interface, so really, this is a simplified project that would make a great Linux / TCPIP tutorial / workshop. In this project, only basic commands are used at the console.

During this project you will get some experience and work in these areas:

Webmin

IPtables and filtering

Networking and TCPIP

Command Line Interface or Console

Squid

SARG

Maybe some scripting

And some other bits, overall, it’s a nice simple project that will help you get into using Linux servers on old hardware for menial tasks that you would normally need a very expensive solution for.

Document Format

The document is broken into sections that are independent pieces of work. Any one section can be skipped based on your needs, if you are new to Linux as a server platform, I recommend you build the entire project for the experience, then customise it to suit your needs. While each section is independent, as a whole, the project has good form and function.

All the key strokes are noted with square brackets, so where you see [Enter] it means the enter key, where you see [Ctrl]+[c] it means while holding the control key, press the ‘c’ key and similarly anything like [Ctrl]+[Alt]+[Del] is something you will not have to do much here.

All commands and console typing is in a console-like font and needs to be entered exactly as shown, so something that is expressed like this:

chown –rv bob:users /home/bob/*

As a command, it will need to be put into the console or terminal, as typed. Remember Linux is case sensitive which means if the command is all little letters or has some big and some little, it has to be entered as such, exactly.

Further, all tasks and subtasks are indented, which neans if a command has a subcommand or dependant action, that action is listed as indented, as this aspect of washing the car is shown here:

1. To wash the car, start with getting good head on your soap mix:

Fill the bucket with warm water

Add two caps of soap

Unless otherwise indicated on the container

The container label normally will clear this up

Mix around violently till the foam is likened to Guinness except in colour

The soap mix is good to go.

It will be a good time saver to use a console application like Putty which will allow you to copy and paste the commands into a terminal instead of having to retype everything, but then you will lose the command line experience which would have made you great as opposed to good.

What is a bridged server with transparent cache?

The server will be built with two network cards and will act as a transparent bridge, firstly, which is a nice way of saying: the server will become a very expensive two port switch. The idea is that all the resources and all the users are separated by placing the server in-between them on the network. They will not know the bridge is there and there is no detectable difference when the bridge is on or off the network, just as a switch would.

A caching server stores copies of recently used information. In this case, web pages, which are served up from the local store rather than from across the web. This saves time and bandwidth and in an ideal setting provides a good experience for users and the people who have to pay for the bandwidth (and manage it).

When built together, all the traffic traversing the bridge can be altered. In this case, the web page requests will be forced into the caching service, reducing the bandwidth on the public network. In addition, the combination of packages required to build this server will allow the administrator full view of all the network activity that traverses the bridge and the ability to block or monitor certain types of traffic or protocols etc. This means for example, valid requests can be allowed and material of a dubious or unwanted nature can be 'filtered'. For this filtering is employed using IPtables.

This method of managing Internet traffic negates he need to update settings on every client computer and as such, negates any attempts by clients to avoid ‘management’ of the Internet.

What hardware is required?

This has only been tested in a VMware configuration at the time of writing. However, as this is based on Ubuntu 6.0.6 (a Debian based Linux distribution), any recommended hardware supported will do fine. As we are not using any GUIs, any basic hardware is fine, too. The more the better or at least, scale the hardware according to the requirement, for a 20 user LAN and a 1MBs ADSL Internet feed, the following should suffice:

P3 800MHz or better

384MB RAM or better

10GB hard drive space or better

In this project, no regard is made for any information already on the disk, we are going to wipe the disk completely, so don’t use a disk with something on it already you wish to keep.

Two Ethernet network cards; one needs to be as fast as the LAN, the other as slow as the Internet, or better.

As the caching service is memory dependant, any lags can be resolved by increasing the RAM as the first and often cheapest step, not to mention the least technical if you don’t want to read too much about performance tuning Linux. If you get the time though, every page read will contribute exponentially to your knowledge and the strength of the server build.

Get the software:

Download the Ubuntu live CD and the Ubuntu server install CD for i386 and burn to CD (please note, these are ISO images, so the resulting CD should not have a single big file in it, they should both be bootable CDs with heaps of files on them). Don't worry about 'i386' this does not mean you will get 386 performances. The CDs can be found here in South Africa:

ftp://ftp.is.co.za/linux/distributions/ubuntu/releases/6.06/ubuntu-6.06.1-

server-i386.iso

ftp://ftp.is.co.za/linux/distributions/ubuntu/releases/6.06/ubuntu-6.06.1-

desktop-i386.iso

Or follow the download links from www.ubuntu.com; you should be able to use 6.10 (the current release) without any modification to these steps.

Boot the CDs (they won't write to your hard drive when booting). At the boot menu of each CD will be an option to test the media - 'Check CD for Defects'. This takes a few minutes but is well worth the effort. Execute the tests, if successful, continue, if not, check the download quality or re-burn the images at a lower speed.

Check your new hardware:

To be sure the hardware will work under Ubuntu (or Linux for that matter), boot to the live/desktop CD and select 'Start or Install Ubuntu'. This will bring up a fully functional desktop with a full installation of Ubuntu 6.06. It will however be running from the CD, so will be quite slow and chunky, but will work all the same. If it does not, stop here and resolve the error or check the hardware using the wiki or the forums at www.ubuntu.com.

The most important part of what we are trying to achieve is the network interface cards and the hard drive. Everything else is optional, so check there are two network cards in the menus System / Administration / Networking (check screenshot1).

Screenshot1

They will be named Eth0 and Eth1 (see screenshot2). In the menus System / Administration / Disks there should be a floppy drive, hard drive and a CD-ROM drive (see screenshot3) and maybe one or two other unknown file systems, the important thing is your disk is there as either /dev/sda or /dev/hda.

Screenshot2

Screenshot3

If anything fails here, stop and resolve, otherwise, all hardware is good. Shutdown and remove the CD.

Install the server:

Ubuntu server and desktop is different in that the server edition has no GUI and runs lean (and fast). Don't panic about the GUI, we will install the server and some basic (but powerful) remote management tools. For this next step, you will need an IP address that is fixed that can be assigned to the server and possibly a nice friendly name. For the purpose of this document, the nice friendly name (hostname) will be ‘theboss’ and the fully qualified name (FQDN) will be theboss.internetshop.local (obviously, you must use the domain you are using already or have chosen, but I don't know what this is, so substitute accordingly where you see this domain/hostname).

1. Put the ‘server’ disk you created earlier into the CD-ROM and boot the server.

2. On the next screen, select 'Install to Hard Disk.'

3. On the next screen, select 'English' by pressing [Enter] while it is highlighted.

4. On the next screen, select 'South Africa' by pressing [Enter] while it is highlighted.

5. On the next screen, select your keyboard type by pressing [Enter] while it is highlighted

You likely have an ‘American English’ keyboard if there is a ‘$’ symbol on the ‘4’ key and no UK pound sign on any other key.

6. On the next screen, you will be prompted for the NIC that is plugged in or will be the primary, it does not matter which is which, as long as they are both plugged in for now. Choose Eth0 and [Enter].

7. On the next screen, the server will get a DHCP address from your network, it should succeed, if not, you will have to enter the IP address automatically.

a. Of course, if you do not use DHCP, it will fail and prompt for the network info. In that case, select 'Manually Configure' and [Enter]. This guide assumes manually configured interfaces.

This is okay as long as you know some very basic info about DHCP and TCPIP.

8. On the resulting screen, enter the IP and [Enter]. For this exercise, I have used 192.168.20.250; you use whatever you have decided and substitute accordingly, of course, use something valid.

9. On the next screen, enter the subnet mask for your server, of course, this has to be valid too. I have used 255.255.255.0, substitute as required.

10. On the next screen, enter the gateway address for your site, this is likely the ADSL or frame router address. I have used 192.168.20.2 as mine is, substitute valid values as required.

11. On the next screen, enter a valid DNS server address.

12. On the next screen enter the Hostname (server name) and [Enter]. As discussed, this server is called ‘theboss’.

13. If you have a preferred proxy server, on the next screen, enter the details and press [Enter] or just leave it blank and [Enter].

14. On the next screen, the partitioning application will start and ask you what you want to do. Since this is a dedicated installation, select 'Erase entire disk' by pressing [Enter]. Do this knowing the entire disk and all its contents will be wiped clean.

15. On the resulting screen, the installer will prompt to make an ext3 and a swap partition. Select 'yes' and [Enter].

16. You may be prompted for time zone depending on your earlier country selection, select correctly and [Enter].

17. On the next screen choose 'no' for 'is the system clock set to UTC' and [Enter].

18. On the next screen, type in your full name, I.E. name and surname and select 'continue' and [Enter].

19. On the next screen, select a username, it can be just about anything except admin, administrator, root etc. Just stick to the basics for now, enter your desired username, select 'Continue' and [Enter].

20. Select a good password you can remember, select 'continue' and [Enter].

21. The whole copy thing starts and the online resources are checked. If they fail, don't panic, we can fix that later and all the software required is on the CD, the installer just likes to see how far out of date your install CD is…

22. When rebooted, it will look very plain and boring (see screenshot4) but I can assure you it will be functional and lean.

23. The base server is installed.

Screenshot4

Before you go ahead into the next section, perhaps you should login and check a few basics. Use the username and password you entered above and try to ping www.google.com. Ping on Linux just keeps going, so you need to [Ctrl]+[c] to stop it. At this point, network connectivity is critical and any problems need to be resolved or going forward is bad.

Another task for now is to establish actually which interface on the PC is Eth0 and which Eth1 is. We already know Eth0 has a fixed address from the steps above. Login to the server and at the console, start a ping session:

ping www.google.com

The ping will run continuously. While the ping is running, unplug one of the Ethernet cables at a time till the ping stops. You will then have identified the Ethernet port/card which is physically bound to the IP address above and is represented by Eth0. Mark the card in the PC so that you know which Eth0 is and which Eth1 is. From now on, Eth0 will be known as the EXTERNAL Interface and it is assumed to be the Ethernet card that is on the Internet side of the project. It will be assumed that Eth1 is the side the clients on your network will be cabled from.

Update the server and install remote management:

Ubuntu uses a very clever world wide repository system to manage software updates and software distribution. Before continuing, we will update the installation in case heaps has changed since the install CD was created and then install management for people who hate command lines or can't remember the syntaxes...

Also, Ubuntu hides the 'root' or administrator user for security reasons, so all administrative (or root) commands need to be preceded by 'sudo' (SuperUserDO) and you will then be prompted for YOUR password, not the root password. There are exceptions to this, but not here.

24. Login as the user created above in 19.

25. At the console type the following line:

sudo apt-get update [Enter]

This updates the software sources and should take a few minutes. You will be prompted for your password (see screenshot5). If it fails, there is likely a network problem, resolve before continuing. If it is not exact as the screenshot that is because you may be in a different country selection, I am in New Zealand, hence the abundance of ‘nz.archive…’

Screenshot5

26. Once you have a recent sources list, you can check for software updates, type the following in:

sudo apt-get upgrade [Enter]

You may not be questioned for your password if the last command happened within a few minutes as there is a timeout value for security reasons. You may be questioned as to whether you wish to proceed, say <y> and go have coffee.... or compare with screenshot6 (obviously the exact packages listed may differ depending on the recently available packages, date of build etc).

Screenshot6

When you return, you will have a completely updated installation.

27. Now we need to download and install a package called Webmin which will allow you to manage the server from a web browser. It is made up of two components, one which generates the https protocol for the module and the other which is the package itself. The package installer is happy with wildcards and as such, the asterisk ‘*’ is used here. The https part is downloaded with the apt-get install procedure as such:

sudo apt-get install ssleay-*[Enter]

Enter your password and <y>

28. Then make sure you are in your home folder, and then download the Webmin application. In Linux, usually just typing in ‘cd’ with no folder name will take you to your home folder. Do this now:

cd [Enter]

29. Then download the zipped Webmin application:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.310-

minimal.tar.gz [Enter]

30. Then uncompress it:

tar xvzf webmin-1.310* [Enter]

This line has a wildcard at the end, you can use the wildcard or just hit [Tab] and the command will be auto completed if there are no ambiguities. This command extracts to a folder structure the Webmin package and you need to install it as sudo via a script (script is run with './' to indicate it is being run in the folder it is as opposed to the path it is on):

cd webmin-1.310 [Enter]

sudo ./setup.sh

All the defaults are fine, except that you should add a difficult password, opt for SSL and 'run Webmin at Startup'. If you did not get asked to use SSL, then the install of ssleay-* failed, you will need to retry that or risk no security on your admin console. To check the install was successful, reboot the server:

sudo reboot

31. Testing. You should then be able to see the Webmin interface from a PC by opening a browser to your chosen server IP address:

https://192.168.20.250:10000/

Accept the default certificate if your browser prompts you for one. Use the username and password you assigned in the Webmin setup and you should see something like screenshot7 except that yours will be version 1.310.

Screenshot7

You now have a completely built and manageable server. Next section will build the bridge and test. If you cannot see the web page, work thorough the instructions so far, again, and resolve.

Done.

Building an Ethernet Bridge:

Essentially, a bridge is two or more Ethernet interfaces which pass traffic through, indiscriminately. The reason we are doing this is to allow the network to continue functioning without you having to make changes anywhere on any workstation. Work smart, not hard.

32. First install the bridging software and some terminal software:

sudo apt-get install bridge-utils ssh

You should see the familiar installing of software for this Linux distribution. Once you have installed ssh, a terminal session can be opened to the server which will allow you to select, copy and paste the rest of the command in this document to the command line in the server, negating the need to retype the commands and removing the possibility of human error. You can use Putty.exe for this or any other ssh terminal shell application after the bridge is built (because while we build the bridge, networking will be unavailable)..

33. Then, at the server console, stop all network traffic as such:

sudo /etc/init.d/networking stop

This stops the network service altogether. Of course, you will lose any terminal connections you have and will need to continue from the console.

34. With great care, backup the interfaces configurations files and then modify it to allow the bridge to work. This is the crucial step, all commands are case-sensitive and very, very syntax specific, so be exact and check your syntax before you invoke:

sudo cp /etc/network/interfaces /etc/network/interfaces.working

This command copies the configuration file out which you can only do as super-user, hence the 'sudo', the rest of the line is self-explanatory.

35. Modify the file with Nano, a really small editor which is easy to use (the keys are shown on the screen along the bottom). At the console:

sudo nano /etc/network/interfaces

36. Now carefully make it look like this, word for word, case sensitive (substitute the IP address and DNS information for your own valid values):

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

auto br0 lo

# The loopback network interface

iface lo inet loopback

# The primary network interface

iface br0 inet static

address 192.168.20.250

netmask 255.255.255.0

network 192.168.20.0

broadcast 192.168.20.255

gateway 192.168.20.2

dns-nameservers 202.27.184.3

dns-search localdomain

pre-up ifconfig eth0 down

pre-up ifconfig eth1 down

pre-up brctl addbr br0

pre-up brctl addif br0 eth0

pre-up brctl addif br0 eth1

pre-up ifconfig eth0 up

pre-up ifconfig eth1 up

post-down ifconfig eth0 down

post-down ifconfig eth1 down

post-down brctl delif br0 eth0

post-down brctl delif br0 eth1

post-down brctl delbr br0

When you are complete, save and close the file - (<Ctrl-O> - Write Out) and (<Ctrl-X> - Close). If the file is exact as above (apart from your IP and naming information, of course) you should have no errors.

37. Now start networking and if you have no errors and typed it correctly, you will see the modules load without errors on the console and you can ping the server and of course, open Webmin again:

sudo /etc/init.d/networking start

No errors mean packets can pass through the server, without prejudice. If you read the configuration file in the previous step, it should make sense, basically, the two adapters (eth0 and eth1) are being bound to make a third (br0) and there are some other settings too. I had a few problems that a restart of the networking service would not resolve, but once the server was restarted, all worked fine. Another means of testing where the problem lies is to stop the networking service and load the lines in the interfaces file, one at a time from the console, this will then help identify any line that has a problem.

38. Test the bridge by plugging Eth0 into the network that connects to the Internet and another workstation into Eth1 (with a known working cross-over cable) and if you have link lights on the adapters, the workstation should be able to go to the Internet as before, as if the bridge server was not there.

Obviously, a good troubleshooting step would be to try Ping the server IP address to ensure TCPIP is loaded as expected.

If this fails, try to ping the servers address from the servers console, try to restart the server (sudo reboot), and if it still really won't work after you have double-checked the interfaces file, check the exact syntax of the interfaces file again.

Otherwise, your server now passes through internet traffic and is ready to have the caching server and firewall updated to stop those pesky bandwidth pirates!

Done.

Caching Server:

Essentially, a caching server saves a copy of the accessed Internet elements - scripts, images and page content etc. so that any subsequent request is read from the server and not from the Internet. An example is if you open Yahoo Mail, like most your users may, each time you open a mail item, all the page elements, like the advert banners, the little graphics that make up the icons for the mail items and the menu scripts etc. are all downloaded again and again with each mail item access by each user. A caching server will remember those items, intercept the request before it goes onto your ADSL or frame line and substitute the local file. This saves your Internet bandwidth and speeds up the page requests, so you and your users will be happy.

The caching server of choice is Squid, a free package which is stable and can be easily installed and includes monitoring (although we will use another more intense monitor called SARG)! Squid sits at port 3128 which is a problem, as you are usually expected to go to each workstation and make sure it looks at port 3128 or the users will be bypassing the proxy. With the magic of Linux and IPtables (a package installed by default), the packets crossing the bridge will be automatically redirected without users knowing. This means users are forced to use the cache and you get a report on their use of your Internet line (and potentially, with the right setup, a report on all the network usage. Squid also caches just about anything, not just web pages. And it is setup in a few easy steps...

39. At a workstation, open a web browser and go to the Webmin page:

https://192.168.20.250:10000

Don't for get to use YOUR IP address and that it's HTTPS not http.

40. Now we need to install the management modules, this is easily point-and-click stuff:

Log in to the Webmin interface.

Click on Webmin Configuration button.

Click on the Webmin modules (looks like a red Lego brick)

Check the 'Standard module from…' radio button and click the [...] to browse the list to get a list of available modules,

Select 'net' and press the [Install Module] button,

When complete, click the [return to Webmin Configuration] link at the bottom of the page.

Now do all that again for each of the following modules - bandwidth, sarg, squid, webalyzer, syslog and firewall (make sure each time the relevant radio button is selected!)

41. When you are complete, go to the Webmin Index page and if you open a few tabs, you will see there is added functionality. These are only the management interfaces; the relevant packages are still not installed. To install Squid, at the server console, first update your sources manually:

sudo nano /etc/apt/sources.list

You will see there are a few lines that specify where the files are from. The top two are from the CD, remark these out by inserting ’#' in front of each line. Then remove the #'s from every other line that starts with deb... So that the file looks like this (with the exception that your lines will likely be <locale>.archive... and mine are nz.archive...:

# deb cdrom:[Ubuntu-Server 6.06 _Dapper Drake_ - Release i386

(20060531)]/ dapper main restricted

# deb cdrom:[Ubuntu-Server 6.06 _Dapper Drake_ - Release i386

(20060531)]/ dapper main restricted

deb http://nz.archive.ubuntu.com/ubuntu/ dapper main restricted

deb-src http://nz.archive.ubuntu.com/ubuntu/ dapper main restricted

## Major bug fix updates produced after the final release of the

## distribution.

deb http://nz.archive.ubuntu.com/ubuntu/ dapper-updates main

restricted

deb-src http://nz.archive.ubuntu.com/ubuntu/ dapper-updates main

restricted

## Uncomment the following two lines to add software from the

'universe'

## repository.

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the

Ubuntu

## team, and may not be under a free licence. Please satisfy yourself

as to

## your rights to use the software. Also, please note that software in

## universe WILL NOT receive any review or updates from the Ubuntu

security

## team.

deb http://nz.archive.ubuntu.com/ubuntu/ dapper universe

deb-src http://nz.archive.ubuntu.com/ubuntu/ dapper universe

## Uncomment the following two lines to add software from the

'backports'

## repository.

## N.B. software from this repository may not have been tested as

## extensively as that contained in the main release, although it

includes

## newer versions of some applications which may provide useful

features.

## Also, please note that software in backports WILL NOT receive any

review

## or updates from the Ubuntu security team.

deb http://nz.archive.ubuntu.com/ubuntu/ dapper-backports main

restricted universe multiverse

deb-src http://nz.archive.ubuntu.com/ubuntu/ dapper-backports main

restricted universe multiverse

deb http://security.ubuntu.com/ubuntu dapper-security main restricted

deb-src http://security.ubuntu.com/ubuntu dapper-security main

restricted

deb http://security.ubuntu.com/ubuntu dapper-security universe

deb-src http://security.ubuntu.com/ubuntu dapper-security universe

Now the software available to you will be quite extensive. The trick with Linux is to install only what you need. The above changes (by adding) the number of sources available to you and this need to be updated into the Apt database:

sudo apt-get update

sudo apt-get upgrade

42. Now install the caching server and the reporting package:

sudo apt-get install squid sarg

43. The usual dialog will appear. There will be more packages than you have selected because the dependencies have been calculated and some other packages will be automatically accepted. Accept and wait. Then login to Webmin, open the 'Servers' tab and you will see Squid and SARG modules, but they will be functional (although there are some tidy up tasks that will follow).

44. Now, Squid use is off-limits by default. Open the SQUID module in Webmin and create permissions for the network to access the squid service (in Linux-land, everything is off or denied by default, hence its reputation for a high level of security):

Open Squid Module,

Open Access Control page,

Use pull down list to select 'Client Address' and press 'Create New ACL' button under ACL list on left as per screenshot8,

Screenshot8

Type a name and the address range as per screenshot9, obviously, substitute your own address range, then click 'Save',

Screenshot9

Then, while still in the Access Control Page, create a rule to allow all addresses that are in the ACL you created on the right, click on 'Add Proxy Restriction',

Fill in the details as per screenshot10, click save,

Screenshot10

The Proxy Restriction now exists at the bottom of the list, under Deny All (and the list is read by the application from top to bottom), so press the up arrow next to your new restriction and make it second in the list as per screenshot11,

Screenshot11

When done, click the 'Return to Squid Index' link at the bottom of the page,

Lastly, open the 'Administrative Options' page and check the 'Visible Hostname' button and put in the IP address of your server, as per screenshot13 (use your server’s IP address).

Screenshot13

Done.

The Squid server is now setup and once you return to the Squid Proxy Server page, there will be an apply button. Press this, wait a few minutes. If there are no errors, you are away laughing and should have a proxy / caching service running at port 3128.

45. Test - You should be able to set a browsers proxy server setting to the server IP at port 3128 and browse the web, if you can't, check all the settings again, if you can, go to the next section. You are nearly finished now, so just hang in there.

46. To be sure the proxy is being used, go to the console and view the access log for Squid to see your browser hitting pages. From the console:

sudo tail –f /var/log/squid/access.log

The tail command usually only shows the last 20 lines of any text file. When used with ‘-f’ it will scroll the lines as they appear, pretty cool huh?

While the command is running, open a few web pages. You will see the squid service reporting your activity. Notice that a ‘cache miss’ means the page or content had to be retrieved form the Internet. If you browse the same pages, you will start to get ‘cache hits’ which means the page content was served locally, saving the Internet bandwidth.

47. You are done here, now. You have a caching service, but have to visit every workstation on the network to change the proxy settings, unless you follow the next section and setup a dynamic redirect.

Note that from a browser, <Ctrl>+<F5>, will cause the browser to request the caching server to get the page form the Internet. This is useful if sometimes you are watching a dynamic web page and it seems to stop updating. Some web developers insert HTML code into their web pages to tell any caching servers not to cache. This is useful in banking application where security information can be found in the caching server.

48. Screenshot14 shows all the bits and pieces that are downloaded with a simple visit to Microsoft’s home page.

Screenshot14

49. Other log files you can watch with tail to try and troubleshoot caching problems are found in /var/log/squid. To find out what they are, simply list them:

ls –al /var/log/squid/*.log

Done. Service is now running.

Caching Server Redirect

Now that the caching server is running on the bridge, you can either go to each workstation and modify the proxy server setting (and risk somebody changing that setting) or you can use a smart to transparently cache all traffic, this is this step.

50. First we need to initialise the firewall package:

Open Webmin and login.

Click the ‘Networking’ tab.

Click the ‘Linux Firewall’ button.

Set ‘Allow all traffic’ and check the ‘Enable at boot time’ before clicking the [Setup Firewall] button.

You now have a working firewall, except it is set to allow all traffic. Restart the server to make sure it is running by visiting the Linux Firewall page after the restart to be sure the service is running (it should look how you left it). Also, after the restart, be sure the network client can still browse the Internet – IE the packets are still going through the firewall.

51. Once it is checked as up and running, the port redirect needs to be enforced:


Click the ‘Servers’ tab.

Click the ‘Squid Proxy Server’ button.

Click the ‘Port Redirection Setup’ button.

Check the radio button ‘Port Redirection is enabled, for clients on interface’ [br0] as per screenshot15.

Click the <Save> button and you will be returned to the Squid Proxy Server page.

Click <Apply Configuration> button to have squid reload.

Screenshot15

52. Testing port redirection. What is happening now is that any requests to port 80 will be rerouted to port 3128. This means anybody attempting to access a regular web server, which is usually port 80, will be forced into the cache. To test this:

On a workstation that traverses the bridge make sure there is no proxy setting in Internet Explorer.

At the console start the tail of access.log:

sudo tail –f /var/log/squid/access.log

Browsing the web should cause the caching server to pickup the requests and tail should show the activity.

53. You will have noticed browsing quality is poor or not functional. Some images do not display and most scripting is stripped from the browser, this is because Squid is not expecting requests form the localhost and the destination web server is getting requests form a server other than the source, that is, the workstation asks for the packet and squid intercepts that request etc.

To resolve this, make these changes to the Squid configuration:


Click the ‘Servers’ tab.

Click the ‘Squid Proxy Server’ button.

Click the ‘Miscellaneous Options’ button.

Check the radio button for HTTP Accel Host = Virtual

Check the radio button for HTTP Accel Port = 80

Check the radio button for HTTP Accel With Proxy = On

Check the radio button for HTTP Accel Uses Host Header = Yes

Squid now handles requests correctly. Click the <Save> button and when returned to the Squid Proxy Server page, click the <Apply Configuration> button.

Now this works, you can deploy the server; here is an idea of how to connect the server to your network if you have an Internet café, obviously, this can be adapted easily to other scenarios, see diagram1. Any workstations behind the bridge will have the caching forced and be subject to the firewall filters we install in another step later on. Any workstations or devices in-between the bridge and the Internet connection will have direct access tot eh Internet as it’s traffic is not traversing g the bridge and is not subject to the rules in place. It is suggested however that those workstation have their browsers set, manually, to use the caching service so as to reap the benefits of locally cached web components.

Diagram1

Reporting

Now that all that all your client packages are traversing the firewall, it is easy to see what is going on. We have all the web access being accounted through Squid and because of the port redirect; there is no way to access a standard http web page without going through the caching service. To be sure the users are not abusing the service by allowing downloads of huge files or material that may get you as the owner / administrator in to trouble, we need to know what is going on in the network.

So, it is not really possible to check every users access to all sites, that is more than one man can get done in a day. Fortunately, the reporting module can filter by top ten and so forth and give a picture of usage trends. Being able to stop any accesses that may affect your legal standing is a concern, so be sure to check the reports regularly and ban users who offend. If they are breaking the law using your facilities, it is likely you will be dragged into any legal proceedings.

Because the modules we are using are relying on log files, reporting only shows useful data after some use has occurred. Further, reporting on minimal use will likely have a skewed picture, so try to let the system run for a day or two before pulling out reports.

Reporting on browser usage or squid requests is done in this exercise by SARG.

54. SARG is already installed previously, so the only thing to do is set it up.

Open Webmin and log in.

Open the ‘Servers’ tab.

Click on the ‘Squid Analysis Report Generator’ button.

Customise they way you want reports generated.

This is self explanatory. The only caution is that reports that generated automatically will constantly consume disk space, so be aware of the reporting and how big the reports get. IF possible, have the reports dumped somewhere else than on the root partition to avoid system shutdown due to lack of space.

Alternatively, reports can be generated on the fly with the [Generate Report Now].

Remember this is only the usage that Squid is aware of, not other usage. For total usage, see the bandwidth monitor.

55. BANDWIDTH Monitor runs to show total number of packets per criteria. To see, for example, how much traffic has passed in a day:

Open Webmin and log in.

Open the ‘Networking’ tab.

Click on the [Bandwidth Monitoring] button.

Select the required criteria.

Click [Generate Report].

You now have a bar graph of all the traffic that has touched or traversed the firewall.

I am currently looking for a more detailed analysis tool that is real easy to use, so this section will hopefully get improved in the next few weeks or revisions, no promises, suggestions welcome though.

Fine Tuning

Here are some fine tuning steps, it may be short now, but it will grow as time goes on.

56. Domain Name is incorrect. The server has the default – localhost name and this needs changing. These settings are managed in Webmin under Networking and Network Configuration. Always make a note of what you change so that if you botch things, you can undo your changes.

Filtering - Beating the Bandwidth Bandits

Filtering is really only effective and easily managed if everything is blocked and little pinholes are created for the unblocked stuff. Further, Squid can impose limits on caching use and as all traffic is forced through squid, that can then be used to manage the content. This part of the guide could be quite comprehensive, so to help

you get started, the following limits will be imposed on this server and then any customisation you need should be self explanatory.

Since we are going to stop all TCPIP traffic expect the approved stuff, we should make sure there are holes for our valid traffic to start with first. IPtables reads the list of rules form top to bottom and if the rule matches, it is effected, if not, it is passed to the next rule. For this reason, the universal block rule should be the last rule, and the most frequently requested rules should be at the top. Think of this process as a flat flow-chart with only yes or no answers and only block or allow actions.

Here is the list of rules to be effected in the order they will be created:

Proxy Access - Allow

Internet Access – Allow

DNS Lookups - Allow

Webmin – Allow

Secure Internet Access – Allow

Instant Messenger – Allow

FTP – Deny

Bit Torrent – Deny

Games – Allow

Printing – Allow

Limits download file size to 5MB

Prevent Users form Installing Printers and Applications on the Internet Café PCs

Deny all other traffic.

There is a mix of rules here which are traffic types and some which are application types and some which are user management and authentication issues.

All of this is made a wholelot easier because we only have one interface – br0 – to deal with. In this one instance (where a bridge is deployed), it is only necessary to block traffic in one place and it wll be blocked all over. However, this does nto detract form the required knowledge of what a filter does and exactly what traffic is actually flowing back and forth when a simple web page is opened. Beyond getting filtering to work, there is the problem that TCPIP is tenacious and will still work in a poorly filtered environment albeit at a greatly reduced rate. Each rule above is now individually added to the firewall and a very brief description is noted. Further detail can be found all over the place.

57. Allow proxy access. This is a rule that allows requests to port 3128. This allows your browsers to connect to the port which serves as the caching engine and allows the redirect rule to work too. It’s all TCPIP related, so there has to be an exception or the rule will fail incoming web requests. Packets will arrive from dynamic ports (in the range 1025 to 65535) and address the server at TCP 3128. They will leave from dynamic ports to dynamic ports as is the case, so exception need to be made for all of that.

Open Webmin.


Click the [Linux Firewall] button.

The default screen is the ‘packet filtering’ view as identified in the top left corner. The screen is divided into three sections, incoming, forwarded and outgoing. These are all relevant from the perspective of br0 in the bridging server.

In the Incoming Section, press [Add Rule] along the right hand side of the screen to create a rule for the incoming proxy requests (screenshot17 and screenshot 18).

In ‘Rule Comment’ type in a descriptive line - Proxy Access - TCP 3128

In ‘Action to Take’ select the ‘Accept’ radio button.

In ‘Network Protocol’ change <ignored> <TCP> to <equals> <TCP>

In ‘Destination TCP or UDP Port’ change <ignored> to <Equals> <3128>

Click the [Save] button and you will be returned to the Filters View.

Screenshot17

Now you have a rule that allows inbound packets if they are TCP and they are destined for port 3128 (the port that Squid listens on). However, remember that incoming port requests are actually destined for port TCP 80, and then redirected to port TCP 3128. So a rule now needs to be created that allows inbound TCP 80 as that is what the originally incoming packet will do.

In the Incoming Section, press [Add Rule] along the right hand side of the screen to create a rule for the incoming proxy requests (screenshot17 and screenshot 18).

In ‘Rule Comment’ type in a descriptive line - HTML Access - TCP 80




Click the [Create] button and you will be returned to the Filters View which now looks like screenshot 19.

Screenshot18

Screenshot19

Now you have rules for inbound port 80 and 3128. The server needs to reply to the requests and it does this from dynamic (or ‘high’) ports which are from 1025 to 65535 inclusive and will be either TCP or UDP depending on the request. In this case, the browser connects to the server at port 80, it is redirected to port 3128 and the Squid service replies using high ports to the browser at a high port. I hope that made sense, the short version is we have to allow outbound packets between 1025 and 65535 to the local network only (this prevents high port applications using the Internet – an example is BitTorrent). However, as the server is behind a firewall and as the server is already locked down (it’s Linux), we can allow all outbound protocols to the local network only. This means we can skip a few steps later. Remember to substitute the IP network address information for your own, I have used mine as described in the server build section.

In the Outgoing Section, press [Add Rule] along the right hand side of the screen to create a rule for the outbound high ports.

In ‘Rule Comment’ type in a descriptive line – Local Dynamic Ports – IP


In ‘Destination Address or Network’ change <ignored> to <Equals> <192.168.20.0/24>

In ‘Network Protocol’ change <ignored> <TCP> to <equals> <IP>

Click the [Create] button and you will be returned to the Filters View which now looks like screenshot 20. Essentially what has been done is the server is now allowed to talk to any other component of the network on any port in either TCP or UDP, this may not make sense till you have completed this section.

To summarise: The browser packets are bound for port 80 of a web server on the Internet. As the packets traverse the bridge, they are intercepted and redirected to the servers IP address

and port 3128. The caching service resolves the web site and either gets it formt he Internet or the local cache and replies from a high port to the browser, on a high port.

Each part of an IP address is called an octet by some people because the numbers between the dots are actually each made up of eight bits. When an address is represented as 192.168.20.250/24, this means the address is actually 192.168.20.0 with a mask of 255.255.255.0. If you convert the numeric value of 256 to binary, you will get eight 1’s. By saying ‘/24’ we are saying that the first three octets are all populated with 1’s and the last octet is of 0’s (hence, 24 ones and 8 zeros). Don’t fret about this, it may make sense after this section, so just make sure the input is as specified and move on. And don’t forget to substitute your IP address information as you go along.

Things get easier from here, trust me.

Screenshot20

58. Allow Internet access. When the browser makes a request to the proxy server, the proxy server gets that page from the Internet or the local cache and sends it back using the rules created above. This rule will allow the server to go to the Internet and get the page if it is not in the cache or is requested to be refreshed. So this rule will need to allow outbound requests to port 80 and inbound replies on high ports.

Open Webmin.



In the Outbound Section, press [Add Rule] along the right hand side of the screen to create a rule for the outbound http (port TCP 80) requests.

In ‘Rule Comment’ type in a descriptive line - Web Access - TCP 80




Click the [Create] button and you will be returned to the Filters View.

Okay, so now the caching service can go to web pages, but those web pages will talk back to high ports, so a rule needs to be made to allow high ports in, but, selectively, as some P2P software uses high ports, so the server needs to allow in high ports that are a direct response to a valid outbound request, only.

In the Inbound Section, press [Add Rule] along the right hand side of the screen to create a rule for the inbound high port (1025-65535) responses.

In ‘Rule Comment’ type in a descriptive line – Incoming High Ports


In ‘Network Protocol’ change <ignored> to <equals> <TCP>

In ‘Destination TCP or UDP Port’ change <ignored> to <Equals> <port range> <1025> to <65535>

In ‘Connection States’ change <Ignored> to <Equals> <ESTABLISHED>.


This allows inbound packets on high ports if they are a response to outbound requests.

Okay, so now the caching service can request http pages and receive responses. The rule made previsouly allow the caching service to talk to the network on high ports already, so this rule is complete. This and the previous rule will allow the server to act as a proxy for http requests, completely. As the server has no deny packets filters at this stage, all traffic will still flow.

59. Allow DNS lookups. All web pages have human friendly names instead of IP addresses. We cannot remember the IP address for a web page, but the name can be remembered easily. There is a service that runs on the Internet (and elsewhere, but that’s another volume) which resolves the names we use for web servers to the IP addresses that the traffic understands to find the actual server. It is called Domain Name Services (DNS). The caching server needs to be able to resolve the names of the web pages it has to get for caching, so it needs to talk the DNS services on the Internet. These run on UDP 53 and responses are from and to high ports, for which we have a TCP rule, so we need a UDP rule for incoming high ports. Here are both:

Open Webmin.



In the Outbound Section, press [Add Rule] along the right hand side of the screen to create a rule for the outbound DNS (port UDP 53) requests.

In ‘Rule Comment’ type in a descriptive line - DNS Access – UDP 53


In ‘Network Protocol’ change <ignored> <UDP> to <equals> <UDP>



Okay, so now the caching service can go to DNS servers, we need a rule to allow replies on high UDP ports selectively, as some P2P software uses high ports, so the server needs to allow in high ports that are a direct response to a valid outbound request, only.

In the Inbound Section, press [Add Rule] along the right hand side of the screen to create a rule for the inbound high port (1025-65535) responses.

In ‘Rule Comment’ type in a descriptive line – Incoming UDP High Ports


In ‘Network Protocol’ change <ignored> to <equals> <UDP>

In ‘Destination TCP or UDP Port’ change <ignored> to <Equals> <port range> <1025> to <65535>

In ‘Connection States’ change <Ignored> to <Equals> <ESTABLISHED>.


This allows inbound packets on high UDP ports if they are a response to outbound requests.

60. Allow Webmin Access. As you are aware by now, Webmin runs on port TCP 10000 as indicated by the Webmin interface address. It will naturally respond on high TCP ports, but we already have a rule for that traffic, so we just need to allow inbound TCP 10000:

Open Webmin.



In the Inbound Section, press [Add Rule] along the right hand side of the screen to create a rule for the inbound Webmin (port TCP 10000) requests.

In ‘Rule Comment’ type in a descriptive line - Webmin Access – TCP 10000





Okay, so now the Webmin page can be contacted directly. The rule allows inbound traffic without specifying which port the request comes from, so there is no need to create an inbound high port rule. The web browser will contact the Webmin service from a high port, but this is okay. The responses are covered by our outbound IP 192.168.20.0/24 rule. IP in this case means either UDP or TCP (amongst other protocols).

61. Allow secure Internet access. As you may not be aware, https or secure Internet access (also referred to as SSL) runs on port 443 when used in browsers (usually, but the exceptions are not discussed here). Inbound requests arrive from high TCP ports to port 443 and once a session is established, replies are from high TCP ports to high TCP ports. We cannot redirect 443, so we have to make a ‘hole’ for it as once this exercise is over, we will exclude anything not specifically allowed.

I have to go to a company lunch now, so we can pick this up later. You build this so long and I will complete this section real soon. Install and configure these steps so far will allow the caching abd reporting to work. I will block the unrelated traffic when this doco is complete.

More Reading

http://www.devshed.com/c/a/Administration/High-Performance-Web-Caching-With-Squid/

http://freshmeat.net/articles/view/1433/

Transparent Cache Bridge

Documents

Transcript of Transparent Cache Bridge