Image

Knowledge base → Traffic accounting via squid transperent in iptables using NAT

[Virtual servers]
Date of publication: 12.03.2024

By default, the server operates in router mode and the task is to take into account all web traffic across all local devices connected to our server.

The current configuration is described here: Setting up NAT in Linux Debian (Internet on a local network)

We will transfer all web traffic to our Squid, which will allow us to obtain detailed statistics on all sites, grouped by device.

1. Install Squid and ssl components

apt install squid squid-openssl

1.1 Let's generate a self-signed certificate

It is needed to configure traffic redirection on port 443

mkdir -p /etc/squid/ssl
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squidCA.pem -out /etc/squid/ssl/squidCA.pem

1.2 Let’s summarize the squid configuration

nano /etc/squid/squid.conf
...
acl localnet src 100.100.100.0/24
...
acl SSL_ports port 443
acl Safe_ports port 80 # http
...
http_access allow localhost
...
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
...
http_port 3128
http_port 3129 intercept
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice all
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squidCA.pem

1.2.1 Restart the service

service squid restart

1.3 Let's turn web traffic to our proxy

iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 3129
iptables -A PREROUTING -t nat -p tcp --dport 443 -j REDIRECT --to-ports 3130

1.4 Let's check the traffic flow

tail -f /var/log/squid/access.log

Let's try to open any website from a device on the local network; events related to our actions should appear in the log.

1710202038.351 5012 100.100.100.101 TCP_TUNNEL/500 3815 CONNECT synay.net:443 - ORIGINAL_DST/89.104.77.7 -
1710202108.954 75616 100.100.100.101 TCP_TUNNEL/500 9916 CONNECT synay.net:443 - ORIGINAL_DST/89.104.77.7 -

Done, now all web traffic goes through the squid service and we can get a convenient readable log using SARG, how to configure it is described here: Installing and configuring SARG on a SQUID proxy server.

Now all web traffic on all devices in our office is taken into account and we can at any time see from which device which sites were opened, including the time and amount of data.





No Comments Yet