Bridge Mode Proxy Configuration
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Bridge Mode Proxy Configuration as PDF for free.
More details
- Words: 754
- Pages: 4
BRIDGE MODE PROXY CONFIGURATION Setting up Squid First, get squid running. There is a lot of documentation in the Squid distribution, so I won't cover basic configuration here. On my Fedora box, I just installed the rpm, and that was all. Check that the following lines are present in /etc/squid/squid.conf: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
Also check that your network appears in the ACLs section. For example, if your network is 192.168.1.0 netmask 255.255.255.0, use: acl our_networks src 192.168.1.0/24
For testing, you may omit the "acl" line and just comment this: http_access deny all
and use this instead: http_access allow all
Be careful if you don't want to allow everyone to use your Webcache. I recommend using this configuration only for testing. Start squid. In Fedora, you can use: bash# service squid start
Other distributions may use: bash# /etc/init.d/squid start bash# chkconfig squid on
Configuring the bridge Install bridge-utils: Bash# yum install bridge-utils
This couldn't be easier: ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 200.1.2.3 netmask 255.255.255.0 up route add default gw 200.1.2.254 dev br0
In this example, I suppose you are using eth0 and eth1. In the ifconfig line, I assigned IP address 20.1.2.3 to the bridge so I can access it remotely. Use an IP address in your network. Don't forget it; you will need it later.
You may check that the bridge is working by using tcpdump: bash# tcpdump -n -i eth0 ... (lots of funny stuff) ... bash# tcpdump -n -i eth1 ... (lots of funny stuff) ...
Plug your machine into the network, and everything should work. Your Linux box is now a big, expensive two-port switch
Configuring transparent redirection We're able to see all the traffic in our network, because we are in the middle. Now we want to catch Web traffic and redirect it directly into Squid. First, let's see if squid is correctly configured. Go to a PC in your LAN and manually configure a proxy. If you use Firefox, for example, go to the Edit menu and select Preferences. Select General and click "Connection Settings", choose "Manual Proxy Configuration", and enter the IP address of your bridge. The port is 3128, unless you have changed it. Try surfing the Web. If it works, you have squid running and working as desired. Now we'll move on to the fun stuff and build a "brouter". First, install ebtables on the bridge machine. Then, just run these two commands: bash# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT bash# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \ -j REDIRECT --to-port 3128
The first command says that packets passing through the bridge going to port 80 will be redirected to the local machine, instead of being bridged. The second uses iptables to redirect those packets to local port 3128, so squid can take care of them. Check squid's log to see whether you're catching traffic: bash# tail -f /var/log/squid/access.log
You should see a lot of "[x]__HIT" messages, meaning that all that content is being caught. Congratulations, you have a Transparent Proxy/Webcache!
Fine Tuning You may want to fine-tune squid, adjusting how much memory or disk space it will use. Just edit /etc/squid/squid.conf. Remember to create the ACLs (Access Control Lists) for your networks. You may want to have a script to set up all of this at boot. Use something like this: ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 200.1.2.3 netmask 255.255.255.0 up route add default gw 200.1.2.254 dev br0 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \ -j REDIRECT --to-port 3128
Save it and put it in /var/my-start-scripts/bridgeBrouter-up.sh. chmod it to 0755 and put a line in /etc/rc.local as follows: /var/my-start-scripts/bridgeBrouter-up.sh
Have fun!
Speaking of fine tunning for Fedora Core, you can use: > /etc/sysconfig/network-scripts/ifcfg-br0 > having the following content: DEVICE=br0 ONBOOT=yes BOOTPROTO=static IPADDR=200.1.2.3 NETMASK=255.255.255.0 TYPE=Bridge
> In order that the configuration to work you have also to modify the configuration files for eth0 and eth1 > (in your case) > /etc/sysconfig/network-scripts/ifcfg-eth[01] DEVICE=eth0 # or eth1 ONBOOT=yes BOOTPROTO=static BRIDGE=br0 Bash# /etc/rc.d/init.d/network restart And enjoy. It's better to use the tools from the linux distro than to placing configuration scripts in rc.local.
Also check that your network appears in the ACLs section. For example, if your network is 192.168.1.0 netmask 255.255.255.0, use: acl our_networks src 192.168.1.0/24
For testing, you may omit the "acl" line and just comment this: http_access deny all
and use this instead: http_access allow all
Be careful if you don't want to allow everyone to use your Webcache. I recommend using this configuration only for testing. Start squid. In Fedora, you can use: bash# service squid start
Other distributions may use: bash# /etc/init.d/squid start bash# chkconfig squid on
Configuring the bridge Install bridge-utils: Bash# yum install bridge-utils
This couldn't be easier: ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 200.1.2.3 netmask 255.255.255.0 up route add default gw 200.1.2.254 dev br0
In this example, I suppose you are using eth0 and eth1. In the ifconfig line, I assigned IP address 20.1.2.3 to the bridge so I can access it remotely. Use an IP address in your network. Don't forget it; you will need it later.
You may check that the bridge is working by using tcpdump: bash# tcpdump -n -i eth0 ... (lots of funny stuff) ... bash# tcpdump -n -i eth1 ... (lots of funny stuff) ...
Plug your machine into the network, and everything should work. Your Linux box is now a big, expensive two-port switch
Configuring transparent redirection We're able to see all the traffic in our network, because we are in the middle. Now we want to catch Web traffic and redirect it directly into Squid. First, let's see if squid is correctly configured. Go to a PC in your LAN and manually configure a proxy. If you use Firefox, for example, go to the Edit menu and select Preferences. Select General and click "Connection Settings", choose "Manual Proxy Configuration", and enter the IP address of your bridge. The port is 3128, unless you have changed it. Try surfing the Web. If it works, you have squid running and working as desired. Now we'll move on to the fun stuff and build a "brouter". First, install ebtables on the bridge machine. Then, just run these two commands: bash# ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \
--ip-destination-port 80 -j redirect --redirect-target ACCEPT bash# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \ -j REDIRECT --to-port 3128
The first command says that packets passing through the bridge going to port 80 will be redirected to the local machine, instead of being bridged. The second uses iptables to redirect those packets to local port 3128, so squid can take care of them. Check squid's log to see whether you're catching traffic: bash# tail -f /var/log/squid/access.log
You should see a lot of "[x]__HIT" messages, meaning that all that content is being caught. Congratulations, you have a Transparent Proxy/Webcache!
Fine Tuning You may want to fine-tune squid, adjusting how much memory or disk space it will use. Just edit /etc/squid/squid.conf. Remember to create the ACLs (Access Control Lists) for your networks. You may want to have a script to set up all of this at boot. Use something like this: ifconfig eth0 0.0.0.0 promisc up ifconfig eth1 0.0.0.0 promisc up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 ifconfig br0 200.1.2.3 netmask 255.255.255.0 up route add default gw 200.1.2.254 dev br0 ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 \ --ip-destination-port 80 -j redirect --redirect-target ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 \ -j REDIRECT --to-port 3128
Save it and put it in /var/my-start-scripts/bridgeBrouter-up.sh. chmod it to 0755 and put a line in /etc/rc.local as follows: /var/my-start-scripts/bridgeBrouter-up.sh
Have fun!
Speaking of fine tunning for Fedora Core, you can use: > /etc/sysconfig/network-scripts/ifcfg-br0 > having the following content: DEVICE=br0 ONBOOT=yes BOOTPROTO=static IPADDR=200.1.2.3 NETMASK=255.255.255.0 TYPE=Bridge
> In order that the configuration to work you have also to modify the configuration files for eth0 and eth1 > (in your case) > /etc/sysconfig/network-scripts/ifcfg-eth[01] DEVICE=eth0 # or eth1 ONBOOT=yes BOOTPROTO=static BRIDGE=br0 Bash# /etc/rc.d/init.d/network restart And enjoy. It's better to use the tools from the linux distro than to placing configuration scripts in rc.local.
Related Documents
Bridge Mode Proxy Configuration
June 2020 3
Squid Proxy Configuration Guide
May 2020 7
Proxy
November 2019 34
Proxy
November 2019 38
Proxy
November 2019 36