Foreword

Warning

Please consider this tutorial as a proof-of-concept only. If you are a novice network administrator take everything described here with a huge grain of salt and seek professional advice before implementing it in the production. The explicit proxying scenario is almost always better than transparent one described in this tutorial.

Our goal is to enforce web filtering in our network for all outbound HTTP/HTTPS traffic. We will implement this by using Squid proxy for interception of traffic and Web Safety ICAP server for web filtering.

For specific reasons which cannot be reconsidered we cannot follow the normal, explicit proxy way of doing things and decide to forcebly filter all HTTP/HTTPS connections on our gateway. As users browsers are not configured to use proxy directly this deployment scenario is usually called NAT intercept.

We will run this tutorial within VMWare Workstation 14. Our gateway machine will be based on CentOS 7. Our network will accomodate addresses from 10.0.0.0 subnet with network mask set to 255.255.0.0. All workstations in our network will have 10.0.0.1 set as default gateway. Our gateway will have two network interface cards (NIC) with the following parameters:

  1. ens32 - network card facing public Internet with address assinged by DHCP of Internet Service Provider.
  2. ens33 - network card facing our private lan with address statically set to 10.0.0.1, netmask 255.255.0.0

The following screenshot shows results of ip addr command run on our gateway:

../../_images/ip_addr2.png

Before we begin, please download the archive with all scripts mentioned in this article (see previous step) and upload/unpack it into your home folder on the gateway. Contents of each script will be shown in the appropriate places in this tutorial.