Let us face some facts. Not everybody, especially a small office network or a small home network can afford a Cisco catalyst switch. To replicate the features of a sophisticated switch like a Cisco catalyst switch, we can setup a Linux box with more than 2 network interfaces to run in bridging mode. Or more simply, a Linux bridged box having switching capabilities.
A bridge is a way to connect two Ethernet segments together in a protocol independent way. Packets are forwarded based on Ethernet address, rather than IP address (like a router). Since forwarding is done at Layer 2, all protocols can go transparently through a bridge.
You can think of a bridge like a network switch. We will be using this Linux Transparent Squid Bridge like a switch according to the network diagram below:
Internet (5)
↑↓
Router (4)
↑↓
Linux Bridge (3)
↑↓
Physical Switch (2)
↑↓
LAN Network (1)
Reasons for running a Linux bridge are:
(A.) The job of the bridge is to examine the destination of the data packets one at a time and decide whether or not to pass the packets to the other side of the Ethernet segment. The result is a faster, quieter network with less collisions.
(B.) You can overcome hardware incompatibilities with a bridge, without leaving the address-range of your IP-net or subnet. E.g. it’s possible to bridge between different physical media like 10 Base T and 100 Base TX.
(C.) You don’t need to change your existing network layout. You just plug in the bridge and you start working. If for some reasons, your Linux bridge box should go down, reconnect the cables from your switch (2) to your router (4), and nobody will even notice that something was not working!
- Features of a Linux Bridge box:
- STP
- The Spanning Tree Protocol is a nifty method of keeping Ethernet devices connected in multiple paths working. The participating switches negotiate the shortest available path by STP.
- Multiple Bridge Instances
- Multiple bridge instances allow you to have more than one bridge on your box up and running, and to control each instance separately.
- Fire-walling
Because we are running a Linux box with a kernel 2.4.x or 2.6.x, we can also apply some IPTABLES firewall rules.
What do I need to run such a Linux Bridge?
You just need a Linux OS with a kernel greater than 2.4. I prefer the 2.6 kernel. The minimum number of network interfaces in your Linux box should at least be 2. This guide assumes that the Linux box has 2 network interfaces, i.e., eth0 and eth1.
However, you may use any number of network interfaces supported on by the hardware of your Linux box.
You then need the “bridge-utils” package. The 2nd tool needed is “ebtables”.
You can use either the binaries installed by your OS distribution or simply download them from the internet.
On a Debian box , it’s as simple as: apt-get install bridge-utils ebtables
The Bridge-Utils package contains the main tools required to setup and configure a Linux bridge. Among the tools provided by bridge-utils, brctl will primarily be used to construct the bridge.
The ebtables program is a filtering tool for a bridging firewall. The filtering is focussed on the Link Layer Ethernet frame fields. It also gives us the ability to alter the Ethernet MAC addresses.
Now that you have a 2.4/2.6 Linux kernel box and you have somehow managed to install the bridge-utils and ebtables packages, we can move on to the next topic of configuring the bridge and running a transparent squid on it.
Installing and configuring Squid
(1.) Create the user squid and group squid
groupadd squid
useradd -g squid squid
(2.) Download the latest version of squid in /usr/local/src
cd /usr/local/src
wget http://www.squid-cache.org/Versions/v2/2.6/squid-2.6.STABLE18.tar.gz
(3.) Unzip it’s contents
tar zxvf squid-2.6.STABLE18.tar.gz
(4.) Configure squid with the following parameters
cd squid-2.6.STABLE18
./configure –bindir=/usr/local/sbin \
–sysconfdir=/usr/local/etc/squid \
–datadir=/usr/local/etc/squid \
–libexecdir=/usr/local/libexec/squid \
–localstatedir=/usr/local/squid \
–enable-removal-policies=heap,lru \
–enable-storeio=diskd,aufs,coss,ufs,null \
–enable-time-hack \
–enable-snmp \
–with-large-files \
–enable-large-cache-files \
–prefix=/usr/local \
–disable-ident-lookups \
–enable-cache-digests \
–enable-underscores \
–enable-kill-parent-hack \
–enable-follow-x-forwarded-for
(5.) If all goes well, run
make all
make install
That’s it. Squid should now be installed. It’s time to do some Squid configurations.
Note: If you encounter problems in configuring or compilation, 99% of them can be solved. The errors are either related to missing compilers, packages or dependencies.
(6.) Create a new Cache directory for Squid
mkdir -p /usr/local/squid/cache
(7.) Create a new /usr/local/etc/squid/squid.conf
cd /usr/local/etc/squid
mv /usr/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf.default.config
vi /usr/local/etc/squid/squid.conf
##Copy and paste following working configuration
########### Start of squid.conf ##############
cache_effective_user squid
cache_effective_user squid
http_port 3128 transparent
cache_dir ufs /usr/local/squid/cache 2000 16 256
cache_access_log /usr/local/squid/logs/access.log
cache_log /usr/local/squid/logs/cache.log
cache_store_log none
emulate_httpd_log on
cache_mem 16 MB
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 40% 4320
acl all src 0.0.0.0/0.0.0.0
##Define your network below
acl mynetwork src 192.168.0.0/24
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 #unregistered ports
acl SSL_ports port 443 563
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow mynetwork
http_access deny all
http_reply_access allow all
icp_access allow mynetwork
icp_access deny all
visible_hostname proxybridge.hostname.com
coredump_dir /usr/local/squid
######## End of squid.conf ##########
(8.) Change the permissions of squid logs and cache_dir
chown -R squid:squid /usr/local/squid/
chown -R squid:squid /usr/local/etc/squid/
(9.) Initialize Squid’s cache and run Squid in daemon mode
/usr/local/sbin/squid -z
/usr/local/sbin/squid -D
Check for any errors. If there are none, put the proxy server manually in your web browser and try browsing websites!
Next, we will setup a bridge using the tools provided by the package “bridge_utils”
As stated above, 1 of the most important tools installed by the bridge-utils package is brctl command.
We will be using the brctl command for creating a logical bridge instance with the name br0. You will need at least 1 bridge instance for bridging to work.
(1.) Creating the logical bridge instance called br0.
#Add bridge instance called br0
brctl addbr br0
#Show your bridge status
brctl show
#Show MAC addresses on your bridge
brctl showmacs br0
(2.) Add your network interfaces to the bridge.
brctl addif br0 eth0
brctl addif br0 eth1
(3.) Zero in your IP network interfaces to 0.0.0.0 and bring it up.
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
(4.) Bring up the bridge. Since we also want to administer this bridge box, we point an IP address to the br0 interface.
ifconfig br0 192.168.100.9 netmask 255.255.255.0 up
(5.) Give your bridge interface br0 a default gateway so that you can access it via SSH, etc.
route add default gw 192.168.100.1 dev br0
That’s it. You have a simple yet a very effective Linux bridge box!
The final remaining part is to redirect the web requests from your network to your bridged box running Squid transparently.
(1.) To redirect web traffic from your LAN to your Bridge box transparently, run the following script called rc.bridge.
#####Start of rc.bridge script ######
#!/bin/sh
###Date: 12-Oct-2007
###tekbdrlimbu@hotmail.com####
/sbin/ebtables -t broute -A BROUTING -p IPv4 –ip-protocol 6 \
–ip-destination-port 80 -j redirect –redirect-target ACCEPT
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 \
-j REDIRECT –to-port 3128
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-ports 3128
/sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j REDIRECT –to-ports 3128
/sbin/iptables -t nat -A PREROUTING -i br0 -p tcp –dport 80 -j REDIRECT –to-ports 3128
######### End of rc.bridge script #####
Run this script and restart Squid. You will have a working Squid transproxy running in a Linux bridged box!!!
We will cover more advanced topics like Spanning Tree Protocol (STP) , MAC and ARP filtering , etc, in the coming days ahead.