SQUID(transparent proxy server)+SQUIDGUARD+NAT Server On Whitebox Linux 3.0
Step-By-Step [tm]


1.Get yourself a Whitebox Enterprise Linux 3.0 CD or Download it from http://www.whiteboxlinux.org/download.html .

2.Install WBEL 3.0 using the minimal install ( choose custom during install , and select minimal ),
a 30GB hard disk drive would be highly reccomended, select manual partitioning during install
and partition it as :
/boot 102MB
/ 9892MB
/proxy1 10000MB
/proxy2 10000MB

PLEASE NOTE : I assume you'll be using IP : 192.168.10.2 for the proxy / nat server
and 192.168.10.1 for the firewall
and that you have 4 ethernet cards
eth0 : 192.168.0.250
eth1 : 192.168.1.250
eth2 : 192.168.2.250
eth3 : 192.168.10.2
When you configure windows or linux :
ip adress : 192.168.0.x
gateway : 192.168.0.250
dns : use your isp's dns server or wait a little more, and Hughesjr will finish his DNS GUIDE

( I think this is a very good configuration , so you might as well use this type of setup )

3.Download the yum.conf file from here http://www.hughesjr.com/wbel/yum.conf.txt
INSTRUCTIONS :

at the cp yum.conf.txt /etc/yum.conf point the system will ask you if you want to overwrite the file,
type yes. And you're done with the yum.conf file.

4.Enter the following commands :


this will take a while, later you should update your system on a regular bassis

5. Now it's time to install SQUID

6. Once squid is done, you will need to edit the /etc/squid/squid.conf file
INSTRUCTIONS :

Here is what you need to enter (please note since you can do a lot off stuff with squid, there might be things
that wont be needed , please do check the config file, I think it's not so hard to understand once you have
something to begin from)
squid.conf
http_port 3228
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

cache_mem 32 MB
fqdncache_size 1024

cache_dir ufs /proxy1/ 8000 16 256
cache_dir ufs /proxy2/ 8000 16 256

cache_mgr someone@somedomain.com # enter your e-mail adress here
cache_effective_user nobody # I like to run squid as nobody
cache_effective_group nobody # I like to run squid as nobody

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl ftpdr proto FTP
acl localhost src 127.0.0.1/32
acl SSL_ports port 443 563
acl Safe_ports port 80 8080 21 443 563 70 210 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl subnet1 src 192.168.0.0/255.255.255.0
acl subnet2 src 192.168.1.0/255.255.255.0
acl subnet3 src 192.168.2.0/255.255.255.0
acl deny_ext urlpath_regex -i "/etc/squid/deny_ext"




http_access deny deny_ext
http_access allow subnet1 subnet2 subnet3
always_direct allow ftpdr
http_access allow subnet1
http_access allow subnet2
http_access allow subnet3
http_access deny all

ie_refresh on # this is needed because IE doesn't recognise transparent proxies properly

redirect_program /usr/bin/squidGuard
redirect_children 4


MINI VI HOWTO :
In order to type in text you need to press i
Once you're finished with typing in your text press ESC and then press :w
and press ENTER
Once you did the saving type :q and press ENTER in order to quit from vi

7. When finished with the squid.conf type :

DON'T FORGET if you update squid (with yum update) it will change /var/log/squid back to
user:squid group:squid , and this will cause erros , since we use user:nobody group:nobody , just
do chown nobody.nobody /var/log/squid after you update Squid !

8. Now it's time to create the deny_ext file in /etc/squid/


Now you need to add this to the deny_ext file ( make sure you check what extensions are denied,
since you might want to allow some, and you might want to add some more )

.wma$
.voc$
.mp.$
.mpeg$
.mpg$
.avi$
.asf$
.rm$
.ram$
.mov$
.wav$
.ogg$
.asx$
.au$
.cda$
.wm.$
.mod$
.snd$



9. It's time to get SquidGuard

Add the following to your squidguard.conf , please note that this is a example, you might need to adjust
certain things , and remove a few rules.

#
# CONFIG FILE FOR SQUIDGUARD
#

dbhome /var/lib/squidguard
logdir /var/log/squidguard

src subnet1 {
ip 192.168.2.0/24
user foo bar
}
src subnet2 {
ip 192.168.1.0/24
user foo bar
}
src subnet3 {
ip 192.168.0.0/24
user foo bar
}

dest banned {
domainlist adult/domains
urllist adult/urls
}

acl {
subnet1 {
pass !banned all
redirect http://192.168.10.2
}
subnet2 {
pass !banned all
redirect http://192.168.10.2
}
subnet3 {
pass !banned all
redirect http://192.168.10.2
}
default {
pass !banned all
redirect http://192.168.10.2
}
}
This setup of SquidGuard will block pornsites ( my tests indicated that when I tried www.google.com sex
and choose a few pages (50) on random none of them managed to pass SquidGuard, so we can assume
it's quiet safe to rely on this list )

10. Phew so we are now done with configuring Squid+Squidguard, next comes the NAT, this will be done with
iptables.


You'll need to add these lines to your proxy-iptables file :


Once your done typing this in ( this might take some time, depending on your cpu and memory ),
it's time to make these iptables settings permanent.



11. Now let's make sure Squid and Iptables will start up on the next boot :

the following result should come back
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
if for some reason iptables is not running in any of these runlevels just type

Check if it's running again, just to make sure.

this will show this :
squid 0:off 1:off 2:off 3:off 4:off 5:off 6:off
just do a :

and check again if squid is now starting.
Add this line to your /etc/rc.d/rc.local
echo "1" > /proc/sys/net/ipv4/ip_forward


12.Now we need to get apache (to host that redirection page that we use in squidguard.conf)

and modify the following line in /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"
change it to
DocumentRoot "/home"
(I like my webpages in my /home folder better then the default)
now you only need to create a index.html in /home

You can use this example html file if you wish, or create your own :


13.Okay we are done now with the configuration , so let's reboot our new (transparent)proxy+nat server :

Once the system is up and running again :
a.) check if squid is running

next you can check the log files
/var/log/squid/
/var/log/squidguard/
/var/log/messages
just to see if everything started up without complaining.

I think this is it, you now have a fully working (transparent)proxy+nat server.

This topic is now closed, you can ask your questions about this guide in the Technical Support Forum

Sincerely
Robert B

Hi,

I just wanted to add this extra info which might save sime time for Internet Explorer users,

since our proxy is transparent and since Squid is not really a ftp proxy .

If you get errors with Internet Explorer 6 when trying to open up ftp sites

do this :

1. Open Up Internet Explorer
2. Click on Tools
3. Click on Internet Options
4. Click on Advenced
and uncheck the following
Enable folder view of FTP sites
and check the following
Use Passive FTP ( for firewall and DSL modem compatiblity )

Sincerely
Robert B