Proxy on a switch

By cluciano41 ·
My boss would like to deploy proxy servers to all 10 of our locations, and I'm in charge of configuring and deploying them. Most locations just have a simple Belkin switch that I can plug the ubuntu box into. The other 3 computers all run Windows XP. I want to run all http traffic through the ubuntu box. My boss only want employees to access our certain sites. I am having trouble doing so. Currently I have a Ubuntu 10.10 box. I installed squid and Web content control. The setting are all at the defaults. How do I go about running all http traffic through this ubuntu box so that the other 3 computers only have access to these sites? Thanks for your time.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Maybe consider a Linux/BSD based firewall instead

by JoelV In reply to Proxy on a switch

From what you are describing, you may want to take a look at some of the Linux or FreeBSD based firewalls that are available. Endian Community Version, PFSense, Smoothwall, and IPCop would all be good options. It should just be a matter of having a connetion to your Belkin (for the "external" or "Red" connection) and an "internal" or "green" connection that your internal XP machines would use as their default gateway and proxy.

Hope that helps.

Collapse -

User based firewall

by cluciano41 In reply to Maybe consider a Linux/BS ...

The purpose of the proxy is to limit only certain users. I didn't think this could be accomplished with a firewall.

Collapse -

The way I do this at home

by robo_dev In reply to Proxy on a switch

My proxy server has two NICS, with a 192.168.0.x network as the 'adults network'. the adults network does not go through the proxy server. I consider my 192.168.0.x the 'outer' network of my proxy server (AllegroSurf running on Windows XP).

The second NIC in the proxy server defines a 192.168.1.x 'kids network'. This is my 'inner network' which is completely separate and distinct from the other network.

The proxy server 'adults network' simply connects to the firewall/router.

There is a separate ethernet switch and wlan access point on the kids network.

The kids PCs each have a static IP address, and their default gateway is the proxy. Most importantly, in the web browser, the proxy settings must be set to the port and IP address of the proxy.

Since the proxy server is not a router, and routing is turned off in the proxy server, the only way a user can get to the web is through the proxy.

One wrinkle to all of the above:

Some devices (e.g. Nintendo Wii, Nintendo DS) do not play well with proxies. For those devices I setup a separate firewall router in parallel with the proxy server. Such that it's outside interface is on the adults network and it's local interface is on the kids network. There are specific firewall rules that only allow the mac addresses and IP addresses of specific devices to get to the Internet without going through the proxy. I also use this router (Netgear FVS311) as a DHCP server for some PCs instead of using static addresses, but I digress...

NOTE: In your case, you may not need the 'router/firewall in parallel' configuration. This is mainly to provide DHCP as well as to deal with devices which do not play well with proxy servers.

Collapse -


by cluciano41 In reply to The way I do this at home

So are you saying that I need need to route all traffic at the physical layer in order to route all traffic through the proxy? If i have 3 computers for normal crew members, than do I need three NICs on the proxy box?

Collapse -

Two NICs is enough

by TobiF In reply to Proxy

If all computers ("kids", as well as "adults") have direct network contact with your router, then you need to tell your router to only let certain computers through. That is a tedious and maybe foolproof, but not "smartproof", since assuming someone else's MAC address could let you through.

Therefore, typical proxy solutions better have two NICs. One side (the outer) needs access to the internet, in order catch allowed content; the inner is used to talk to the secured, inner network.

So, if you want to employ an old computer as your new proxy server, then, typically, you'll have to fit in an additional NIC card, and then load your proxy system.

Collapse -

Correct, my proxy server has two NICs

by robo_dev In reply to Two NICs is enough

one NIC is connected to my Internet router, the other is plugged into a Cisco ethernet switch, which is the 'kids' network.

What would be real helpful here on TR would be the ability to add pictures or diagrams. The things that I assume are clearly explained in words could better be described in a simple drawing.

Related Discussions

Related Forums