Proxy+firewall linux

Chhuk (Borey Sorla), Sangkat Tek Thia Khan Sek Sok P.O.
Box 511 Phnom Penh, Cambodia
Tel: +855 23.99.55.00 [email protected]
Based on network infrastructure, an administrator will assign manually IP address to Computer
client and Proxy Server. In this case, LAN clients need access to internet by using a proxy
service, ensure that Clients cannot access facebook, youtube and movies website during working time except Manager with IP address 10.10.xx.1/24 can access to the internet directly
without enable proxy service on web browser.
Note: All client have access to cross the firewall policy.
Working time:
B. LAN Server can ping to Proxy/Firewall Server
C. LAN Server can remote to Proxy/Firewall Server
D. LAN Server can access to Internet without using Proxy
Server
2. Client
B. IP address from 10.10.xx.1 can access internet without
using proxy.
a. . Block website (social network or video/movie websites)
b. . Block download extension (.mp3, .mp4, .exe)
c. . All staffs can access any website beside of working time.
d. . Make sure clients cannot access websites that are not good on squidguard and shallalist
file.
e. For Shallalist Deny only folder name: sex, gamble, movies, hacking and dating.
f. . Allow LAN staffs can access any websites beside of working time by allowing on
squidguard service.
Firewall and Proxy: HDD:50-100 GB, RAM: 1-2 GB, OS linux
Client : RAM:521, HDD=50-100 GB, OS windows 7
You must create ip address for your firewall and proxy . you just type command
yast lan then assign IP and enable routing.
This step you must assign gateway and enable routing because you must all ip interface realize and can communication another network.
Submit: Google Classroom
This IP that we just completed there are three interface and network.
After we configure enable routing and assign IP address ready you need to
add DNS ISP to RESOLVE. Example: vi /etc/resolve.conf.
1. Server
A. Proxy/Firewall Server Can access internet Before you configure firewall, make sure your interface and Ethernet
same to interface lanserver and lanstaff. One more thing you must allow lanserver can request DNS from ISP, so your lanserver can translate IP to Hostname easy access to internet. Start create file that
have extension .sh command touch or vim.
Example: touch firewall.sh or vim firewall.sh
The result that firewall access to internet
B. LAN Server can ping to Proxy/Firewall Server When you allow lanserver can ping to firewall you make sure your server has IP address, Default gateway and DNS. For my server I just installed DNS and AD already.
There is role that we allow lanserver ping to firewall .
The result ping to firewall, but firewall cannot ping to server.
Result firewall ping to lanserver because we set role only server can ping to firewall
C. LAN Server can remote to Proxy/Firewall Server . When you allow lanserver can remote to firewall you need create
role and specific user and IP address to remote because you must security your firewall. Now I decide to choose ssh remote firewall.
The result for remote ssh
After I remote ssh I copy folder name BL to firewall
D. LAN Server can access to Internet without using Proxy Server For server can access to internet without proxy server we need to create
NAT for allow server use internet. And allow lanserver access only firewall indirect to internet, In addition, you think upon DNS server ISP because it importation for translation IP to hostname. Let’s see its bellow steps by steps. Recommend you should type command: echo 1 > /proc/sys/net/ipv4/ip_forward.
The result server access to internet without proxy.
E. Local DNS Server request DNS from ISP This step you must allow DNS server request DNS from ISP because you
need let lanserver access to internet. If you don’t allow DNS from ISP , so
your server cannot translate name host website that you want to reached. Bellow this syntax that you must create.
This is result that lanserver request DNS from DSN ISP.
2. Client
A. LAN-staffs request DNS from Local DNS Server For lan-staff if you want allow staff can access to internet, you must allow
lan-staff got DNS from ISP, so your staff can access with hostname (DNS).
This is result that we allow lan-staff request DNS from DNS from ISP.
B. IP address from 10.10.xx.1 can access internet without using proxy server.
Now I need allow range ip address lan-staff 10.10.34.1 can access to internet without using proxy server.
One more thing you must your lan-staff request DNS from ISP already that your staff can use internet
The result that we allow lanstaff can access to internet without proxy.
C. LAN-staffs IP from 10.10.xx.2-10.10.xx.253/24 have to use proxy for accessing
internet by blocking: For allow lan-staff access to internet use proxy you need to know about
service that you must install for providing to proxy run. Now you follow this step: command yast –i squid or yast –i then you must
type cd /etc/squid then ls for view file vi squid.conf. After you configure you don’t forget restart service.
Install squid and squidguard.
This step you must assign IP proxy or firewall (proxy+firewall) than access to internet you take IP address proxy put on browser so the show bellow.
This is result that we allow lan-staff access internet using proxy.
a. Block website (social network or video/movie websites) Now I will block social network videos movie websites like: youtube.com,
123movies.to, facebook.com……..
So you just create syntax for block social network and involve to
information that you allow or deny.
Let’s testing using staff access any website that we determine permission.
b. Block download extension (.mp3, .mp4, .exe) After we block any websites now we test block download extension
file as above.
The result test block extension files. This picture file .mp3 need by proxy block.
c. All staffs can access any website beside of working time. This step mean that all staff can access to internet use entertainment after they finished working time. Make sure your days that you allow all staff can access with time on proxy server.
a. Make sure clients cannot access websites that are not good on squidguard and shallalist file.
Before you allow user access any website please you be sure all user don’t access to not good website.
For configure file you must install ready with squid.
You just type command vi /etc/squidguard.conf then create role bellow.
Now I redirect website blacklist genera to gmail.com.
You know directory that contain domain blacklist that we need to block.
Then vi domains for view hostname blacklist.
When you configure already you must type command such as:
We must type command bellow for create database, delegates to another
manage and delegate to new user full manage directory.
1. Command : squidGuard –d –b –C all 2. Command : chown squid * (delegate owner ship)
3. Command : chown squid /usr/sbin/squidGuard 4. Command : chown –R squid /var/lib/squidGuard/db/
Let’s test website backlist, so it generate to gmail.com or not gmail.com.
Generate to Gmail
a. For Shallalist Deny only folder name: sex, gamble, movies, hacking and dating.
When we Deny folder you must copy main folder that contain subfolders to directory /var/lib/squidGuard/bd.
We main folder name BL that contain these subfolders.
After we copy subfolders we need to create syntax in /etc/squidguard.conf.
The result generate to gamil.com
Allow LAN staffs can access any websites beside of working time by allowing on
squidguard service
You just create new syntax that you want to allow staff access to any websites
when they free time.

Software

Proxy+firewall linux