Squid as a Passive Web Content Filtering System

nospam@example.com (Keith Pachulski) — Tue, 09 Feb 2010 17:32:00 -0500

The goal here is simple, have a content filtering system in place that is transparent to the end users that will simply terminate their web browsing sessions when they attempt to access sites deemed as malicious or in violation of company policy, or home restrictions. This setup is based on CentOS 5.4 with Squid installed via yum and iptables along with a Cisco Router, though the WCCP configuration could easily be ported over to an ASA with WCCP support.

At the time of this writing, GRE tunneling as needed in this setup is not supported on either OpenSolaris or Solaris 10.

Configuring the Router for WCCP v2

? Connect to the device via console/ssh/telnet and enter into configuration mode
o enable
o conf t

? Define ?interesting traffic? via an extended access list
o ip access-list extended filter
o permit tcp 192.168.1.0 0.0.0.255 any eq 80
o exit

? Enable WCCP v2 and apply the filter list to WCCP
o ip wccp version 2
o Once you enter this command, WCCP is enabled but doing a show run does not display this command in the configuration
o ip wccp web-cache redirect-list filter
o This command tells the router to forward all traffic to the Squid server once it has connected to the router/switch
o On the outbound interface (the one connected to the internet feed) enter the following
o Interface
o ip wccp web-cache redirect out
? This command tells the router to redirect all outbound traffic as defined by the filter access list.
o Write the configuration before moving onto the Squid server configuration
o ctrl+z
o wr mem

Configuring the Squid Server for WCCP v2

By default Squid, if installed from an rpm which it should be, stores its configuration files in /etc/squid/.

Before beginning the configuration of squid, backup the original configuration file by doing the following:

? cd /etc/squid
? cp squid.conf squid.conf.original
o This command will rename the original squid.conf to squid.conf.original

Create the new squid configuration file and insert the base configuration information for Squid to support WCCP v2 content filtering:

? su
o enter root password
? cd /etc/squid
? vi squid.conf
? Hit the 'i' key to enter into insert mode then paste in the following:

#Enable transparent mode on the default Squid service port of 3128

http_port 3128 transparent
#Default stuff Squid needs to function
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
ftp_passive on
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
client_lifetime 1 day
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 7004
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#Define the networks to be filtered and the WCCP device which will be using the server
#Define networks here, this MUST mirror the filter access-list created on the router/ASA
acl our_networks src 192.168.1.0/24

#Add the squid access list files here
acl blocksites dstdomain "/etc/squid/deniedsites.acl"

#Define how we deny the traffic matching the blocked sites list - Any web traffic matching the destination domains will generate a TCP reset to the client
deny_info TCP_RESET blocksites
http_access deny blocksites

#Define traffic we will allow which has not been blocked by the previous
http_access allow our_networks
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname squid

#Define WCCP router/switch information here
wccp2_router 192.168.1.254
wccp_version 4
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0
coredump_dir /var/spool/squid

? Once this has been posted into the configuration file, hit escape then type :wq and hit enter ? this will write and exit from the file
? Type exit and hit enter to leave the root account.

Configuring the CentOS Server for GRE Tunneling and traffic forwarding

Load the ip_gre module, make sure you load the correct gre module for the current kernel loaded. If the kernel is updated you should remove and reload the updated module

? insmod /lib/modules/2.6.18-164.11.1.el5/kernel/net/ipv4/ip_gre.ko

Creating the GRE interface on the server

? NOTE: Be careful when manually creating the GRE interface, editing the wrong file or inserting incorrect characters into the interface configuration file may render the system useless.
? su
o Enter the root password
? vi /etc/sysconfig/network-scripts/ifcfg-gre0
o NOTE: This is an example of how the interface is configured, correct the following fields with the IP information reflecting the network where the device is being installed

#The IP Address of the interface should be the same as the primary interface on the server
DEVICE=gre0
BOOTPROTO=static
BROADCAST=192.168.1.255
IPADDR=192.168.1.1
NETMASK=255.255.255.0
NETWORK=10.5.0.0
ONBOOT=yes
TYPE=Ethernet

? Once this has been posted into the configuration file, hit escape then type :wq and hit enter ? this will write and exit from the file
? Turn the interface up by typing the following
? ifconfig gre0 up
? Type exit and hit enter to leave the root account.

Enable IP Forwarding within the server operating system

? su
o Enter the root password
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter

Creating the IP GRE Tunnel from the Squid Server to the WCCP router/switch

? su
o Enter the root password
? /usr/sbin/iptunnel add wccp mode gre remote 192.168.1.254 local 192.168.1.1 dev eth0
o Note: correct the remote and local address to reflect the correct IP of the remote WCCP device and the local address of the Squid server.
? vi /etc/rc.local
o hit 'i' to enter into insert mode and paste in the following
o /usr/sbin/iptunnel add wccp mode gre remote 192.168.1.254 local 192.168.1.1 dev eth0
? Once this has been posted into the configuration file, hit escape then type :wq and hit enter ? this will write and exit from the file
? Type exit and hit enter to leave the root account.

Modifying the static iptables rule set and adding the port redirection

? su
o Enter the root password
? vi /etc/sysconfig/iptables
o hit 'i' to enter insert mode and add the following lines into the firewall configuration
o -A RH-Firewall-1-INPUT -p gre -j ACCEPT
o Allows GRE traffic to the Squid server
o -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 2048 -j ACCEPT
o Allows WCCP traffic to the server
o -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3128 -j ACCEPT
o Allows traffic to the Squid service port
? Once this has been posted into the configuration file, hit escape then type :wq and hit enter ? this will write and exit from the file
? Type the following to enable port redirection for traffic coming into the GRE interface to the Squid service
o /usr/bin/iptables -t nat -I PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
? vi /etc/rc.local
o hit 'i' to enter into insert mode and paste in the following
o /usr/bin/iptables -t nat -I PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
? Once this has been posted into the configuration file, hit escape then type :wq and hit enter ? this will write and exit from the file
? Type exit and hit enter to leave the root account.

Starting the Squid service and verifying WCCP connection from the Squid server to the router/switch

WCCP Router
? Console/ssh to the WCCP router and enter the following commands
o enable
o conf t
o logging on
o logging monitor debug
o exit
o debug ip wccp event
o debug ip wccp packets
o terminal monitor
Squid Server
? Start the Squid service
? su
o Enter the root password
? /etc/rc.d/init.d/squid start

Once the squid service has started, you should start seeing messages on the router/switch saying new WCCP router detected and then a flurry of ?Here_I_Am? and ?I_See_You? messages on the console. Once you see these, the squid server has successfully connected to the WCCP service on the router/switch.

Populating the deniedsite.acl

Sites that you want to deny access to should be added to the file mentioned previously in the configuration at /etc/squid/deniedsites.acl

These should be added in same top-level structure as the user accessed the site. For example, the user goes to www.playboy.com - We want to deny access to the top level as well as all subdomains of .playboy.com so in the deniedsites.acl file we add the following:

Information Security, Privacy and Regulatory Compliance - Content Filtering

Squid as a Passive Web Content Filtering System