Running A Transparent Linux Squid Bridge / Turn your Linux box into a Cisco like Catalyst switch

This How-To guides you to run your Linux box with Squid in a transparent bridge mode.

Let us face some facts. Not everybody, especially a small office network or a small home network can afford a Cisco catalyst switch. To replicate the features of a sophisticated switch like a Cisco catalyst switch, we can setup a Linux box with more than 2 network interfaces to run in bridging mode. Or more simply, a Linux bridged box having switching capabilities.

A bridge is a way to connect two Ethernet segments together in a protocol independent way. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.

You can think of a bridge like a network switch. We will be using this Linux Transparent Squid Bridge like a switch according to the network diagram below:

Internet (5)

↑↓

Router (4)

↑↓

Linux Bridge (3)

↑↓

Physical Switch (2)

↑↓

LAN Network (1)

Reasons for running a Linux bridge are:

(A.) The job of the bridge is to examine the destination of the data packets one at a time and decide whether or not to pass the packets to the other side of the Ethernet segment. The result is a faster, quieter network with less collisions.

(B.) You can overcome hardware incompatibilities with a bridge, without leaving the address-range of your IP-net or subnet. E.g. it’s possible to bridge between different physical media like 10 Base T and 100 Base TX.

(C.) You don’t need to change your existing network layout. You just plug in the bridge and you start working. If for some reasons, your Linux bridge box should go down, reconnect the cables from your switch (2) to your router (4), and nobody will even notice that something was not working!

Features of a Linux Bridge box:
STP
The Spanning Tree Protocol is a nifty method of keeping Ethernet devices connected in multiple paths working. The participating switches negotiate the shortest available path by STP.
Multiple Bridge Instances
Multiple bridge instances allow you to have more than one bridge on your box up and running, and to control each instance separately.
Fire-walling

Because we are running a Linux box with a kernel 2.4.x or 2.6.x, we can also apply some IPTABLES firewall rules.

What do I need to run such a Linux Bridge?

You just need a Linux OS with a kernel greater than 2.4. I prefer the 2.6 kernel. The minimum number of network interfaces in your Linux box should at least be 2. This guide assumes that the Linux box has 2 network interfaces, i.e., eth0 and eth1.

However, you may use any number of network interfaces supported on by the hardware of your Linux box.

You then need the “bridge-utils” package. The 2nd tool needed is “ebtables”.

You can use either the binaries installed by your OS distribution or simply download them from the internet.

On a Debian box , it’s as simple as: apt-get install bridge-utils ebtables

The Bridge-Utils package contains the main tools required to setup and configure a Linux bridge. Among the tools provided by bridge-utils, brctl will primarily be used to construct the bridge.

The ebtables program is a filtering tool for a bridging firewall. The filtering is focussed on the Link Layer Ethernet frame fields. It also gives us the ability to alter the Ethernet MAC addresses.

Now that you have a 2.4/2.6 Linux kernel box and you have somehow managed to install the bridge-utils and ebtables packages, we can move on to the next topic of configuring the bridge and running a transparent squid on it.

Installing and configuring Squid

(1.) Create the user squid and group squid

groupadd squid

useradd -g squid squid

(2.) Download the latest version of squid in /usr/local/src

cd /usr/local/src
wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE18.tar.gz

(3.) Unzip it’s contents

tar zxvf squid-2.6.STABLE18.tar.gz

(4.) Configure squid with the following parameters

cd squid-2.6.STABLE18

./configure –bindir=/usr/local/sbin \

–sysconfdir=/usr/local/etc/squid \
–datadir=/usr/local/etc/squid \
–libexecdir=/usr/local/libexec/squid \
–localstatedir=/usr/local/squid \
–enable-removal-policies=heap,lru \
–enable-storeio=diskd,aufs,coss,ufs,null \
–enable-time-hack \
–enable-snmp \
–with-large-files \
–enable-large-cache-files \
–prefix=/usr/local \
–disable-ident-lookups \
–enable-cache-digests \
–enable-underscores \
–enable-kill-parent-hack \
–enable-follow-x-forwarded-for

(5.) If all goes well, run

make all
make install

That’s it. Squid should now be installed. It’s time to do some Squid configurations.

Note: If you encounter problems in configuring or compilation, 99% of them can be solved. The errors are either related to missing compilers, packages or dependencies.

(6.) Create a new Cache directory for Squid

mkdir -p /usr/local/squid/cache

(7.) Create a new /usr/local/etc/squid/squid.conf

cd /usr/local/etc/squid

mv /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.default.config

vi /usr/local/etc/squid/squid.conf

##Copy and paste following working configuration
########### Start of squid.conf ##############
cache_effective_user squid
cache_effective_user squid

http_port 3128 transparent

cache_dir ufs /usr/local/squid/cache 2000 16 256

cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_store_log none

emulate_httpd_log on

cache_mem 16 MB

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

hosts_file /etc/hosts

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 40% 4320

acl all src 0.0.0.0/0.0.0.0

##Define your network below

acl mynetwork src 192.168.0.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https

acl Safe_ports port 1025-65535 #unregistered ports

acl SSL_ports port 443 563

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow mynetwork
http_access deny all
http_reply_access allow all
icp_access allow mynetwork

icp_access deny all

visible_hostname proxybridge.hostname.com

coredump_dir /usr/local/squid

######## End of squid.conf ##########

(8.) Change the permissions of squid logs and cache_dir

chown -R squid:squid /usr/local/squid/

chown -R squid:squid /usr/local/etc/squid/

(9.) Initialize Squid’s cache and run Squid in daemon mode

/usr/local/sbin/squid -z

/usr/local/sbin/squid -D

Check for any errors. If there are none, put the proxy server manually in your web browser and try browsing websites!

Next, we will setup a bridge using the tools provided by the package “bridge_utils”


As stated above, 1 of the most important tools installed by the bridge-utils package is brctl command.

We will be using the brctl command for creating a logical bridge instance with the name br0. You will need at least 1 bridge instance for bridging to work.

(1.) Creating the logical bridge instance called br0.

#Add bridge instance called br0

brctl addbr br0

#Show your bridge status
brctl show

#Show MAC addresses on your bridge

brctl showmacs br0
(2.) Add your network interfaces to the bridge.

brctl addif br0 eth0

brctl addif br0 eth1

(3.) Zero in your IP network interfaces to 0.0.0.0 and bring it up.
ifconfig eth0 0.0.0.0 promisc up

ifconfig eth1 0.0.0.0 promisc up

(4.) Bring up the bridge. Since we also want to administer this bridge box, we point an IP address to the br0 interface.

ifconfig br0 192.168.100.9 netmask 255.255.255.0 up

(5.) Give your bridge interface br0 a default gateway so that you can access it via SSH, etc.

route add default gw 192.168.100.1 dev br0

That’s it. You have a simple yet a very effective Linux bridge box!

The final remaining part is to redirect the web requests from your network to your bridged box running Squid transparently.

(1.) To redirect web traffic from your LAN to your Bridge box transparently, run the following script called rc.bridge.

#####Start of rc.bridge script ######

#!/bin/sh

###Date: 12-Oct-2007

###tekbdrlimbu@hotmail.com####

/sbin/ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 \
–ip-destination-port 80 -j redirect –redirect-target ACCEPT
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 \
-j REDIRECT –to-port 3128
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-ports 3128
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-ports 3128
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT –to-ports 3128

######### End of rc.bridge script #####

Run this script and restart Squid. You will have a working Squid transproxy running in a Linux bridged box!!!

We will cover more advanced topics like Spanning Tree Protocol (STP) , MAC and ARP filtering , etc, in the coming days ahead.

Happy bridging!!!

Advertisements

16 responses to “Running A Transparent Linux Squid Bridge / Turn your Linux box into a Cisco like Catalyst switch

  1. Thanx will definately try the above and like your writting style.

  2. Great do some mor work with explanation
    to cover up multyhoming

  3. Is the subnet Mask necessary ? can’t I use a transparent bridge ?

  4. What is the use of the ebtables line exactly? I thought tracking MACs was not necessary in a bridge setup?! Thanks for clarifying.

  5. I will try this solution first. !!!!

  6. First of all thank you fir this simple and yet very effective how to. My linux bridge is running perfectly smooth! However, i need to bypass squid “IF” a client requested a specific web site (due to site restrictions i.e. can’t login). Please make a litte how to about bypassing the bridge for a certain site, i’ve read the EBTABLES doc site but still no luck.
    Thank you so much.

  7. I used this iptables and its works for me !

  8. Hi,

    This was really great. Things are clearly explained and quite understandable. I tried the same and it worked perfectly fine for me. Actually a “too-well-written” scenario.

    However, I have a case where if the squid service on the server is down, the server should pass complete traffic (in bridge mode) without forwarding it to port 3128. Is there a possibility for this?

    Regards,
    SaN

  9. Pingback: Transparent Linux Squid Bridge « Estudiando CCNA2 con Eliezer

  10. How if we have dmz server like below;

    Internet
    |
    |
    Router ISP
    |
    |
    Linux BOX
    |
    |
    CATALYST 36XX ——–>DMZ SERVER
    |
    |
    LAN

    We use some public IP on DMZ Server, and I use VLAN and each VLAN has different network.
    Could you help me with this one… ???

  11. @wisnu – you need to look at iproute2 for telling your linux box about the route to the DMZ

  12. I have setup as above but have the
    TCP_DENIED/403 errors for every website i try.
    Please advice.

  13. Hi Alvin,

    Please check if you have included your local network as in:

    acl mynetwork src 192.168.0.0/24

    Thanks,
    Tek Bahadur Limbu

  14. Hello,
    how can I setup two or more bridges with squid for load balancing ?

  15. Great sharing teklimbu. I have a question and the scenario is that I have a linux(squid3) box with 1 nic (say 192.168.0.200) and 1 virtual ip (say 192.168.0.199) and the gateway (say 192.168.0.100). This machine is not connected directly to gateway however it is connected to unmanageable switch. Is there is a way that the client machine goes from linux box to gateway?

  16. Does it serves as fully transparent proxy ? I mean will the client’s IP reaches the destination ( eg webserver) instead of proxy IP ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s