Common problem at companies is the Internet access.
Many employees are using their working time in social networking (facebook, youtube….)
Today I will explain the “solution” we used 3 years a go in a medium size company (400 employees).
The idea was to allow Internet surfing just to the sites we thought they need it to use. This would be done by disabling all sites and having a list of allowed sites (you can do it the other way around).
This example was implemented in a Pentium III 800Mhz, 196mb Ram, 20gb HD and 1 ethernet card running Debian server. As far as I know still works perfect.
Of course first we need a system full working.
After that we install squid (is the proxy) and iptables (for port redirection).
apt-get install squid iptables
Now we configure squid:
vi /etc/squid/squid.conf
And inside maybe something like this:
http_port 8080
cache_mem 16 MB#memory for the cache
cache_dir ufs /var/spool/squid 100 16 256#here is the cache
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
offline_mode on
ie_refresh on
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl redlocal src 172.16.0.0/255.255.255.0
acl allowed_sites url_regex "/etc/squid/allowed_sites"
http_access allow allowed_sites
http_access allow localhost
http_access deny all
Of course you need to replace the IP’s for yours.
Now we need to allow some sites, you can be really specific here or allow more, example:
vi /etc/squid/allowed_sites
And inside you can use:
google – will allow any url with the word google in it
google.com – only with the url google.com and all the subdomains
Now we restart squid:
squid restart
Something important is to configure iptables to redirect the traffic to the right port, in this way the proxy is transparent:
vi /etc/init.d/squid_redirect.sh
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080
And make it work as a service:
update-rc.d squid_redirectl.sh defaults
Once all of this is done, we have two ways of usage for the user.
- We change in the browser connection to use proxy. Problem, they can disable it.
- Changing connection properties from the machine as default gateway!, this one is my favorite since if you disable the other gateway they don’t have another option 😉
Hope this manual it’s useful. Regards