+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Internet Related/Filtering/Firewall Thread, Transparent Proxy with LEA supplied squid server in Technical; I wish to add my own transparent proxy to remove the need to add proxy settings for any device that ...
  1. #1

    CHR1S's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    4,573
    Thank Post
    1,652
    Thanked 506 Times in 309 Posts
    Rep Power
    221

    Transparent Proxy with LEA supplied squid server

    I wish to add my own transparent proxy to remove the need to add proxy settings for any device that connects, specifically android devices with no proxy server options.

    We have a squid proxy supplied by Birmingham LEA.

    With squid being transparent aware, can I set up any old machine with another install of squid and let it do its thing?

    Will HTTPS traffic just route to the squid (lea) as it cant be cached or fail?

  2. #2

    CHR1S's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    4,573
    Thank Post
    1,652
    Thanked 506 Times in 309 Posts
    Rep Power
    221
    Also, will changing the default gateway to the transparent proxy give the desired effect or are there other ways of implementing?

  3. #3

    CHR1S's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    4,573
    Thank Post
    1,652
    Thanked 506 Times in 309 Posts
    Rep Power
    221
    Quickest reply from the LEA ever! They gave a resounding yes to a transparent proxy and just said change the default gateway to the new proxy.

    Simple as

  4. #4

    Join Date
    Nov 2011
    Location
    Birmingham
    Posts
    125
    Thank Post
    30
    Thanked 25 Times in 21 Posts
    Rep Power
    11
    You beat me to it, so to confirm.

    Yes installing a new squid box (transparent) and pointing to your lea proxy upstream will work.
    No https just dies, man in the middle attack etc.
    Yeah change your default gateway to your transparent gateway and your good to go.

    Works with all http traffic on all devices but be aware stuff like the android market allows you to view apps but not download them. It uses non standard ports to download. Hope it helps.

  5. Thanks to TechieWils from:

    CHR1S (11th May 2012)

  6. #5

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    I've asked this very question in the past and I was told 'no'. For the exact same reason(s) that schools are starting to use a range of Operating Systems and not just Windows.

    It would be nice if a transparent proxy option was offered to schools, even for a small fee wink, wink

  7. Thanks to Michael from:

    CHR1S (11th May 2012)

  8. #6

    Join Date
    Nov 2011
    Location
    Birmingham
    Posts
    125
    Thank Post
    30
    Thanked 25 Times in 21 Posts
    Rep Power
    11
    Apparently link2ict are investigating it but have found a number of issues with their infrastructure mainly the Cisco switches not being able to handle a specific protocol (can't remember which one now)

    A little naughty but I just couldnt build my own squid box (more time and practice required) so I stuck smooth wall express on a vm to test it out and works like a charm. It's also put us on a path to get a proper smoothie box and finally leave bgfl.

  9. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    I find that a little surprising. Cisco are one of the market leaders, so you'd expect them to handle most protocols out there (but I'll take your word for it).

    Either way, the need for transparent proxies is becoming more of an issue and at the end of the day, 99.9% of teachers do not care what a proxy is and they just want things to work (quite rightly).

  10. #8

    Join Date
    Nov 2011
    Location
    Birmingham
    Posts
    125
    Thank Post
    30
    Thanked 25 Times in 21 Posts
    Rep Power
    11
    Completely agree with you they need to get it sorted and start offering a real transparent proxy solution instead of saying do it your self it does work and that's it. I'll dig the document out they sent me I know it's round here somewhere...

  11. #9

    Join Date
    Nov 2011
    Location
    Birmingham
    Posts
    125
    Thank Post
    30
    Thanked 25 Times in 21 Posts
    Rep Power
    11
    Found it but can't upload it from my phone so will in the morning. The protocol was WCCP on Cisco edge switches btw

  12. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    A quick google reveals it may be the WCCP protocol (Web Cache Communication Protocol)

    Edit: Beat me to it reading up on it!

  13. #11
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,477
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    53
    Hi

    If you place a firewall on the box something like firehol you can set it to forward the ports to either the internet squid or the county proxy like for ssh. Proxy can change the packet when they come through so it looks like its been tampered with.

    You can also put dansguardian on as well so the firewall passes the traffic to dansguardian and then onto squid so you can have a filtered transparent proxy.

    The transparrent proxy is a good idea from the point that you dont have to put setting into ie but not for security. If someone gets onto the network they can have direct acess to the internet. We are setting this up at the moment for a hotspot vlans with two cards in it.

  14. #12
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    859
    Thank Post
    88
    Thanked 154 Times in 124 Posts
    Blog Entries
    8
    Rep Power
    35
    I just did this a couple months ago for a segregated guess WiFi VLAN. I setup Squid 3.0 as a transparent proxy and iptables to pass the traffic between NICs. Port 80 gets forwarded to Squid, a couple ports go straight through, and the rest get blocked. Once through, Squid will then forward the traffic up to the ISD for content filtering. The whole thing runs in a VM and even has a captive portal splash page for users to accept our terms of service. It works nicely, but as already noted, HTTPS doesn't forward through Squid.

  15. #13
    ricki's Avatar
    Join Date
    Jul 2005
    Location
    uk
    Posts
    1,477
    Thank Post
    20
    Thanked 164 Times in 157 Posts
    Rep Power
    53
    Quote Originally Posted by Duke5A View Post
    I just did this a couple months ago for a segregated guess WiFi VLAN. I setup Squid 3.0 as a transparent proxy and iptables to pass the traffic between NICs. Port 80 gets forwarded to Squid, a couple ports go straight through, and the rest get blocked. Once through, Squid will then forward the traffic up to the ISD for content filtering. The whole thing runs in a VM and even has a captive portal splash page for users to accept our terms of service. It works nicely, but as already noted, HTTPS doesn't forward through Squid.
    How did you get the redirect to work on the first screen. We have tried to get this to work but it will not work.

    Richard

  16. #14
    Duke5A's Avatar
    Join Date
    Jul 2010
    Posts
    859
    Thank Post
    88
    Thanked 154 Times in 124 Posts
    Blog Entries
    8
    Rep Power
    35
    Quote Originally Posted by ricki View Post
    How did you get the redirect to work on the first screen. We have tried to get this to work but it will not work.

    Richard
    I used this guide to get IPtables to route traffic between the NICs and forward port 80 to Squid.

    Linux: Setup a transparent proxy with Squid in three easy steps

    The only thing it doesn't cover is restoring the rules on reboot. IPtables will revert back to a stock configuration after every reboot unless you import the rules again. The answer to this is in post #13 of this thread.

    [ubuntu] Ubuntu v8.10 Auto Start IPTables - Page 2 - Ubuntu Forums

    I hope this helps...

  17. #15

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    Quote Originally Posted by ricki View Post
    The transparrent proxy is a good idea from the point that you dont have to put setting into ie but not for security. If someone gets onto the network they can have direct acess to the internet. We are setting this up at the moment for a hotspot vlans with two cards in it.
    I've heard this argument before, but it's not a good argument in my opinion. To access the LAN itself you'll need to break into the building or if you can access and break the WLAN, you probably have a poor wireless configuration/security setup.

    Modern wireless encryption such as WPA2-PSK AES is pretty much unbreakable. There's always at least one wireless network which is wide open or poorly secured with WEP and these are the kind of networks (if I were that way inclined) I would target.

    If you wanted to go further, you could easily switch on/off wireless access points or configure Mac address filtering. There's so much you can do these days and manually entering a proxy is considered tedious by many, especially teachers who have to enable it at school and disable it at home.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. [Ubuntu] Reverse Proxy with squid
    By Arcath in forum *nix
    Replies: 1
    Last Post: 24th February 2010, 03:06 PM
  2. Squid transparent proxying
    By MK-2 in forum *nix
    Replies: 46
    Last Post: 4th June 2008, 12:26 PM
  3. ISA server as a transparent proxy
    By FN-GM in forum Wireless Networks
    Replies: 30
    Last Post: 25th February 2008, 05:33 PM
  4. VPN with Transparent Proxy
    By Jackd in forum Wireless Networks
    Replies: 6
    Last Post: 14th February 2008, 05:18 PM
  5. Squid Transparent Proxy.
    By Jackd in forum Network and Classroom Management
    Replies: 2
    Last Post: 25th July 2007, 07:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •